Skip to main content

Marketing Cloud Engagement

5 CVEs product

Monthly

CVE-2026-2298 CRITICAL Act Now

An Improper Neutralization of Argument Delimiters (Argument Injection) vulnerability exists in Salesforce Marketing Cloud Engagement that allows attackers to manipulate Web Services Protocol interactions through command injection. All versions of Marketing Cloud Engagement released before January 30th, 2026 are affected. An attacker with network access to the affected service can inject malicious arguments into commands, potentially leading to unauthorized actions, data exfiltration, or service compromise. No CVSS score, EPSS data, or confirmed public POC are currently available, but the vulnerability has been officially disclosed by Salesforce with a patch deadline, indicating active remediation efforts.

Code Injection Marketing Cloud Engagement
NVD VulDB
CVSS 3.1
9.4
EPSS
0.0%
CVE-2026-22586 CRITICAL Act Now

Hardcoded cryptographic key in Salesforce Marketing Cloud Engagement used across CloudPages, Forward to a Friend, Profile Center, and Subscription Center. Fourth critical Salesforce CVE.

Information Disclosure Marketing Cloud Engagement
NVD VulDB
CVSS 3.1
9.8
EPSS
0.0%
CVE-2026-22585 CRITICAL Act Now

Use of broken/risky cryptographic algorithm in Salesforce Marketing Cloud Engagement affecting CloudPages, Forward to a Friend, Profile Center, and Subscription Center components.

Information Disclosure Marketing Cloud Engagement
NVD
CVSS 3.1
9.8
EPSS
0.0%
CVE-2026-22583 CRITICAL Act Now

Argument injection in Salesforce Marketing Cloud Engagement CloudPagesURL component. Second Salesforce Marketing Cloud CVE with same root cause.

Code Injection Marketing Cloud Engagement
NVD
CVSS 3.1
9.8
EPSS
0.0%
CVE-2026-22582 CRITICAL Act Now

Argument injection in Salesforce Marketing Cloud Engagement MicrositeURL component allows command execution. First of four critical Salesforce Marketing Cloud CVEs.

Code Injection Marketing Cloud Engagement
NVD
CVSS 3.1
9.8
EPSS
0.0%
EPSS 0% CVSS 9.4
CRITICAL Act Now

An Improper Neutralization of Argument Delimiters (Argument Injection) vulnerability exists in Salesforce Marketing Cloud Engagement that allows attackers to manipulate Web Services Protocol interactions through command injection. All versions of Marketing Cloud Engagement released before January 30th, 2026 are affected. An attacker with network access to the affected service can inject malicious arguments into commands, potentially leading to unauthorized actions, data exfiltration, or service compromise. No CVSS score, EPSS data, or confirmed public POC are currently available, but the vulnerability has been officially disclosed by Salesforce with a patch deadline, indicating active remediation efforts.

Code Injection Marketing Cloud Engagement
NVD VulDB
EPSS 0% CVSS 9.8
CRITICAL Act Now

Hardcoded cryptographic key in Salesforce Marketing Cloud Engagement used across CloudPages, Forward to a Friend, Profile Center, and Subscription Center. Fourth critical Salesforce CVE.

Information Disclosure Marketing Cloud Engagement
NVD VulDB
EPSS 0% CVSS 9.8
CRITICAL Act Now

Use of broken/risky cryptographic algorithm in Salesforce Marketing Cloud Engagement affecting CloudPages, Forward to a Friend, Profile Center, and Subscription Center components.

Information Disclosure Marketing Cloud Engagement
NVD
EPSS 0% CVSS 9.8
CRITICAL Act Now

Argument injection in Salesforce Marketing Cloud Engagement CloudPagesURL component. Second Salesforce Marketing Cloud CVE with same root cause.

Code Injection Marketing Cloud Engagement
NVD
EPSS 0% CVSS 9.8
CRITICAL Act Now

Argument injection in Salesforce Marketing Cloud Engagement MicrositeURL component allows command execution. First of four critical Salesforce Marketing Cloud CVEs.

Code Injection Marketing Cloud Engagement
NVD

This site uses cookies essential for authentication and security. No tracking or analytics cookies are used. Privacy Policy