Description
Improper Neutralization of Argument Delimiters in a Command ('Argument Injection') vulnerability in Salesforce Marketing Cloud Engagement allows Web Services Protocol Manipulation. This issue affects Marketing Cloud Engagement: before January 30th, 2026.
Published: 2026-03-23
Score: 9.4 Critical
EPSS: < 1% Very Low
KEV: No
Impact: Command Injection (Remote Code Execution)
Action: Immediate Patch
AI Analysis

Impact

Improper neutralization of argument delimiters in Salesforce Marketing Cloud Engagement’s command processing enables attackers to inject malicious content via crafted web service requests. The injected delimiters cause the platform to treat the payload as additional command arguments, allowing unintended command execution that can compromise confidentiality, integrity, or availability. This flaw is identified as a command injection weakness (CWE‑88).

Affected Systems

The vulnerability affects all Salesforce Marketing Cloud Engagement releases dated before January 30, 2026. No further version details are provided, so any instance predating that date is considered vulnerable. The product in question is Salesforce Marketing Cloud Engagement.

Risk and Exploitability

The vendor assigns a CVSS score of 9.4, indicating critical severity with full network reach and high impact. The current exploit probability is below 1 %, and the flaw is not listed in the known exploited vulnerabilities catalog. The likely attack vector is remote, through the web services API, where malformed request payloads trigger injection. No explicit authentication requirement is mentioned, suggesting that any entity able to access the API could potentially exploit the flaw. The combination of high severity and remote accessibility warrants urgent remediation.

Generated by OpenCVE AI on March 24, 2026 at 17:25 UTC.

Remediation

No vendor fix or workaround currently provided.

OpenCVE Recommended Actions

  • Apply the vendor‑released update that removes the command injection flaw, released after January 30 2026.
  • If patching cannot be performed immediately, implement rate limiting or access controls for the Marketing Cloud Engagement web services API to reduce exposure.
  • Monitor API traffic for anomalous argument patterns that may indicate injection attempts.
  • Verify that all instances are updated on or before January 30 2026 to ensure full remediation.

Generated by OpenCVE AI on March 24, 2026 at 17:25 UTC.

Tracking

Sign in to view the affected projects.

Advisories

No advisories yet.

History

Wed, 25 Mar 2026 22:00:00 +0000

Type Values Removed Values Added
Title Argument Injection via Web Services in Salesforce Marketing Cloud Engagement

Tue, 24 Mar 2026 15:15:00 +0000

Type Values Removed Values Added
Metrics cvssV3_1

{'score': 9.4, 'vector': 'CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:L'}

ssvc

{'options': {'Automatable': 'yes', 'Exploitation': 'none', 'Technical Impact': 'partial'}, 'version': '2.0.3'}

Tue, 24 Mar 2026 10:45:00 +0000

Type Values Removed Values Added
First Time appeared Salesforce
Salesforce marketing Cloud Engagement
Vendors & Products Salesforce
Salesforce marketing Cloud Engagement

Mon, 23 Mar 2026 20:00:00 +0000

Type Values Removed Values Added
Description Improper Neutralization of Argument Delimiters in a Command ('Argument Injection') vulnerability in Salesforce Marketing Cloud Engagement allows Web Services Protocol Manipulation. This issue affects Marketing Cloud Engagement: before January 30th, 2026.
Weaknesses CWE-88
References

Subscriptions

Salesforce Marketing Cloud Engagement
cve-icon MITRE

Status: PUBLISHED

Assigner: Salesforce

Published:

Updated: 2026-03-24T14:56:07.641Z

Reserved: 2026-02-10T16:35:08.344Z

Link: CVE-2026-2298

cve-icon Vulnrichment

Updated: 2026-03-24T14:54:38.547Z

cve-icon NVD

Status : Awaiting Analysis

Published: 2026-03-23T20:16:25.523

Modified: 2026-03-24T15:54:09.400

Link: CVE-2026-2298

cve-icon Redhat

No data.

cve-icon OpenCVE Enrichment

Updated: 2026-03-25T20:36:47Z

Weaknesses