Marketing Cloud Engagement
Monthly
An Improper Neutralization of Argument Delimiters (Argument Injection) vulnerability exists in Salesforce Marketing Cloud Engagement that allows attackers to manipulate Web Services Protocol interactions through command injection. All versions of Marketing Cloud Engagement released before January 30th, 2026 are affected. An attacker with network access to the affected service can inject malicious arguments into commands, potentially leading to unauthorized actions, data exfiltration, or service compromise. No CVSS score, EPSS data, or confirmed public POC are currently available, but the vulnerability has been officially disclosed by Salesforce with a patch deadline, indicating active remediation efforts.
Hardcoded cryptographic key in Salesforce Marketing Cloud Engagement used across CloudPages, Forward to a Friend, Profile Center, and Subscription Center. Fourth critical Salesforce CVE.
Use of broken/risky cryptographic algorithm in Salesforce Marketing Cloud Engagement affecting CloudPages, Forward to a Friend, Profile Center, and Subscription Center components.
Argument injection in Salesforce Marketing Cloud Engagement CloudPagesURL component. Second Salesforce Marketing Cloud CVE with same root cause.
Argument injection in Salesforce Marketing Cloud Engagement MicrositeURL component allows command execution. First of four critical Salesforce Marketing Cloud CVEs.
An Improper Neutralization of Argument Delimiters (Argument Injection) vulnerability exists in Salesforce Marketing Cloud Engagement that allows attackers to manipulate Web Services Protocol interactions through command injection. All versions of Marketing Cloud Engagement released before January 30th, 2026 are affected. An attacker with network access to the affected service can inject malicious arguments into commands, potentially leading to unauthorized actions, data exfiltration, or service compromise. No CVSS score, EPSS data, or confirmed public POC are currently available, but the vulnerability has been officially disclosed by Salesforce with a patch deadline, indicating active remediation efforts.
Hardcoded cryptographic key in Salesforce Marketing Cloud Engagement used across CloudPages, Forward to a Friend, Profile Center, and Subscription Center. Fourth critical Salesforce CVE.
Use of broken/risky cryptographic algorithm in Salesforce Marketing Cloud Engagement affecting CloudPages, Forward to a Friend, Profile Center, and Subscription Center components.
Argument injection in Salesforce Marketing Cloud Engagement CloudPagesURL component. Second Salesforce Marketing Cloud CVE with same root cause.
Argument injection in Salesforce Marketing Cloud Engagement MicrositeURL component allows command execution. First of four critical Salesforce Marketing Cloud CVEs.