Description
Improper Neutralization of Argument Delimiters in a Command ('Argument Injection') vulnerability in Salesforce Marketing Cloud Engagement (MicrositeUrl module) allows Web Services Protocol Manipulation. This issue affects Marketing Cloud Engagement: before January 21st, 2026.
Published: 2026-01-24
Score: 9.8 Critical
EPSS: < 1% Very Low
KEV: No
Impact: Command injection via argument delimiters
Action: Immediate Upgrade
AI Analysis

Impact

The vulnerability is an improper neutralization of argument delimiters in a command, classified as argument injection. Attackers can manipulate web services protocol commands allowing unauthorized actions or potentially executing arbitrary code. The weakness corresponds to CWE-88 and results in confidentiality or integrity compromise if exploited successfully.

Affected Systems

The affected system is Salesforce Marketing Cloud Engagement, specifically the MicrositeUrl module. All instances running versions published before January 21, 2026 are potentially vulnerable. No other vendors or product versions are listed as affected.

Risk and Exploitability

The CVSS score of 9.8 marks this as critical, and although EPSS is low (<1%), the possibility of exploitation exists, especially for privileged users or exposed services. The vulnerability is not currently listed in the CISA KEV catalog. The likely attack vector is remote via web services, with the attacker needing to craft requests that insert unneutralized delimiters into command arguments. Successful exploitation would grant the attacker elevated privileges or command execution within the service context.

Generated by OpenCVE AI on April 18, 2026 at 03:01 UTC.

Remediation

No vendor fix or workaround currently provided.

OpenCVE Recommended Actions

  • Upgrade to a version of Salesforce Marketing Cloud Engagement released after January 21, 2026 to ensure the argument neutralization fix is applied
  • If an upgrade is not immediately possible, restrict access to the MicrositeUrl module or block untrusted incoming requests to reduce exposure
  • Validate and sanitize all command arguments before processing to prevent delimiter injection, enforcing strict whitelisting of allowed characters

Generated by OpenCVE AI on April 18, 2026 at 03:01 UTC.

Tracking

Sign in to view the affected projects.

Advisories

No advisories yet.

History

Sat, 18 Apr 2026 03:30:00 +0000

Type Values Removed Values Added
Title Improper Neutralization of Argument Delimiters in a Command Leading to Web Services Protocol Manipulation in Salesforce Marketing Cloud Engagement

Thu, 12 Feb 2026 16:15:00 +0000

Type Values Removed Values Added
CPEs cpe:2.3:a:salesforce:marketing_cloud_engagement:*:*:*:*:*:*:*:*

Mon, 26 Jan 2026 19:15:00 +0000

Type Values Removed Values Added
Metrics cvssV3_1

{'score': 9.8, 'vector': 'CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H'}

ssvc

{'options': {'Automatable': 'yes', 'Exploitation': 'none', 'Technical Impact': 'total'}, 'version': '2.0.3'}

Mon, 26 Jan 2026 12:00:00 +0000

Type Values Removed Values Added
First Time appeared Salesforce
Salesforce marketing Cloud Engagement
Vendors & Products Salesforce
Salesforce marketing Cloud Engagement

Sat, 24 Jan 2026 00:45:00 +0000

Type Values Removed Values Added
Description Improper Neutralization of Argument Delimiters in a Command ('Argument Injection') vulnerability in Salesforce Marketing Cloud Engagement (MicrositeUrl module) allows Web Services Protocol Manipulation. This issue affects Marketing Cloud Engagement: before January 21st, 2026.
Weaknesses CWE-88
References

Subscriptions

Salesforce Marketing Cloud Engagement
cve-icon MITRE

Status: PUBLISHED

Assigner: Salesforce

Published:

Updated: 2026-04-29T19:24:51.939Z

Reserved: 2026-01-07T19:03:25.719Z

Link: CVE-2026-22582

cve-icon Vulnrichment

Updated: 2026-01-26T16:25:28.451Z

cve-icon NVD

Status : Analyzed

Published: 2026-01-24T01:15:49.920

Modified: 2026-02-12T16:13:12.287

Link: CVE-2026-22582

cve-icon Redhat

No data.

cve-icon OpenCVE Enrichment

Updated: 2026-04-18T03:15:35Z

Weaknesses