{"dataType": "CVE_RECORD", "dataVersion": "5.2", "cveMetadata": {"cveId": "CVE-2026-22582", "assignerOrgId": "c9b25dee-ae6d-4083-ba23-638c500cc364", "state": "PUBLISHED", "assignerShortName": "Salesforce", "dateReserved": "2026-01-07T19:03:25.719Z", "datePublished": "2026-01-24T00:19:26.449Z", "dateUpdated": "2026-04-29T19:24:51.939Z"}, "containers": {"cna": {"providerMetadata": {"orgId": "c9b25dee-ae6d-4083-ba23-638c500cc364", "shortName": "Salesforce", "dateUpdated": "2026-04-29T19:24:51.939Z"}, "problemTypes": [{"descriptions": [{"lang": "en", "cweId": "CWE-88", "description": "CWE-88 Improper Neutralization of Argument Delimiters in a Command ('Argument Injection')", "type": "CWE"}]}], "impacts": [{"capecId": "CAPEC-278", "descriptions": [{"lang": "en", "value": "CAPEC-278 Web Services Protocol Manipulation"}]}], "affected": [{"vendor": "Salesforce", "product": "Marketing Cloud Engagement", "modules": ["MicrositeUrl"], "versions": [{"status": "affected", "version": "0", "lessThan": "January 21, 2026", "versionType": "date"}], "defaultStatus": "unaffected"}], "descriptions": [{"lang": "en", "value": "Improper Neutralization of Argument Delimiters in a Command ('Argument Injection') vulnerability in Salesforce Marketing Cloud Engagement (MicrositeUrl module) allows Web Services Protocol Manipulation. This issue affects Marketing Cloud Engagement: before January 21st, 2026.", "supportingMedia": [{"type": "text/html", "base64": false, "value": "Improper Neutralization of Argument Delimiters in a Command ('Argument Injection') vulnerability in Salesforce Marketing Cloud Engagement (MicrositeUrl module) allows Web Services Protocol Manipulation. This issue affects Marketing Cloud Engagement: before January 21st, 2026.<p></p>"}]}], "references": [{"url": "https://help.salesforce.com/s/articleView?id=005299346&type=1"}], "credits": [{"lang": "en", "value": "s.shah@slcyber.io", "type": "reporter"}], "source": {"discovery": "UNKNOWN"}, "x_generator": {"engine": "Vulnogram 0.5.0"}}, "adp": [{"metrics": [{"cvssV3_1": {"scope": "UNCHANGED", "version": "3.1", "baseScore": 9.8, "attackVector": "NETWORK", "baseSeverity": "CRITICAL", "vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H", "integrityImpact": "HIGH", "userInteraction": "NONE", "attackComplexity": "LOW", "availabilityImpact": "HIGH", "privilegesRequired": "NONE", "confidentialityImpact": "HIGH"}}, {"other": {"type": "ssvc", "content": {"id": "CVE-2026-22582", "role": "CISA Coordinator", "options": [{"Exploitation": "none"}, {"Automatable": "yes"}, {"Technical Impact": "total"}], "version": "2.0.3", "timestamp": "2026-01-27T04:55:32.549609Z"}}}], "title": "CISA ADP Vulnrichment", "providerMetadata": {"orgId": "134c704f-9b21-4f2e-91b3-4a467353bcc0", "shortName": "CISA-ADP", "dateUpdated": "2026-02-26T15:04:52.985Z"}}]}}

{"dataType": "CVE_RECORD", "containers": {"adp": [{"title": "CISA ADP Vulnrichment", "metrics": [{"cvssV3_1": {"scope": "UNCHANGED", "version": "3.1", "baseScore": 9.8, "attackVector": "NETWORK", "baseSeverity": "CRITICAL", "vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H", "integrityImpact": "HIGH", "userInteraction": "NONE", "attackComplexity": "LOW", "availabilityImpact": "HIGH", "privilegesRequired": "NONE", "confidentialityImpact": "HIGH"}}, {"other": {"type": "ssvc", "content": {"id": "CVE-2026-22582", "role": "CISA Coordinator", "options": [{"Exploitation": "none"}, {"Automatable": "yes"}, {"Technical Impact": "total"}], "version": "2.0.3", "timestamp": "2026-01-27T04:55:32.549609Z"}}}], "providerMetadata": {"orgId": "134c704f-9b21-4f2e-91b3-4a467353bcc0", "shortName": "CISA-ADP", "dateUpdated": "2026-01-26T16:25:28.451Z"}}], "cna": {"source": {"discovery": "UNKNOWN"}, "credits": [{"lang": "en", "type": "reporter", "value": "s.shah@slcyber.io"}], "impacts": [{"capecId": "CAPEC-278", "descriptions": [{"lang": "en", "value": "CAPEC-278 Web Services Protocol Manipulation"}]}], "affected": [{"vendor": "Salesforce", "modules": ["MicrositeUrl"], "product": "Marketing Cloud Engagement", "versions": [{"status": "affected", "version": "0", "lessThan": "January 21, 2026", "versionType": "date"}], "defaultStatus": "unaffected"}], "references": [{"url": "https://help.salesforce.com/s/articleView?id=005299346&type=1"}], "x_generator": {"engine": "Vulnogram 0.5.0"}, "descriptions": [{"lang": "en", "value": "Improper Neutralization of Argument Delimiters in a Command ('Argument Injection') vulnerability in Salesforce Marketing Cloud Engagement (MicrositeUrl module) allows Web Services Protocol Manipulation. This issue affects Marketing Cloud Engagement: before January 21st, 2026.", "supportingMedia": [{"type": "text/html", "value": "Improper Neutralization of Argument Delimiters in a Command ('Argument Injection') vulnerability in Salesforce Marketing Cloud Engagement (MicrositeUrl module) allows Web Services Protocol Manipulation. This issue affects Marketing Cloud Engagement: before January 21st, 2026.<p></p>", "base64": false}]}], "problemTypes": [{"descriptions": [{"lang": "en", "type": "CWE", "cweId": "CWE-88", "description": "CWE-88 Improper Neutralization of Argument Delimiters in a Command ('Argument Injection')"}]}], "providerMetadata": {"orgId": "c9b25dee-ae6d-4083-ba23-638c500cc364", "shortName": "Salesforce", "dateUpdated": "2026-04-29T19:24:51.939Z"}}}, "cveMetadata": {"cveId": "CVE-2026-22582", "state": "PUBLISHED", "dateUpdated": "2026-04-29T19:24:51.939Z", "dateReserved": "2026-01-07T19:03:25.719Z", "assignerOrgId": "c9b25dee-ae6d-4083-ba23-638c500cc364", "datePublished": "2026-01-24T00:19:26.449Z", "assignerShortName": "Salesforce"}, "dataVersion": "5.2"}

{"configurations": [{"nodes": [{"cpeMatch": [{"criteria": "cpe:2.3:a:salesforce:marketing_cloud_engagement:*:*:*:*:*:*:*:*", "matchCriteriaId": "5A41CCDE-A5EA-45D6-A009-A6908459C453", "versionEndExcluding": "2026-01-21", "vulnerable": true}], "negate": false, "operator": "OR"}]}], "cveTags": [], "descriptions": [{"lang": "en", "value": "Improper Neutralization of Argument Delimiters in a Command ('Argument Injection') vulnerability in Salesforce Marketing Cloud Engagement (MicrositeUrl module) allows Web Services Protocol Manipulation. This issue affects Marketing Cloud Engagement: before January 21st, 2026."}], "id": "CVE-2026-22582", "lastModified": "2026-02-12T16:13:12.287", "metrics": {"cvssMetricV31": [{"cvssData": {"attackComplexity": "LOW", "attackVector": "NETWORK", "availabilityImpact": "HIGH", "baseScore": 9.8, "baseSeverity": "CRITICAL", "confidentialityImpact": "HIGH", "integrityImpact": "HIGH", "privilegesRequired": "NONE", "scope": "UNCHANGED", "userInteraction": "NONE", "vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H", "version": "3.1"}, "exploitabilityScore": 3.9, "impactScore": 5.9, "source": "134c704f-9b21-4f2e-91b3-4a467353bcc0", "type": "Secondary"}]}, "published": "2026-01-24T01:15:49.920", "references": [{"source": "security@salesforce.com", "tags": ["Vendor Advisory"], "url": "https://help.salesforce.com/s/articleView?id=005299346&type=1"}], "sourceIdentifier": "security@salesforce.com", "vulnStatus": "Analyzed", "weaknesses": [{"description": [{"lang": "en", "value": "CWE-88"}], "source": "security@salesforce.com", "type": "Secondary"}]}

{}

{"analysis": {"en": {"generated_at": "2026-04-18T03:01:10.276887+00:00", "value": {"mitigation_remediation": ["Upgrade to a version of Salesforce Marketing Cloud Engagement released after January 21, 2026 to ensure the argument neutralization fix is applied", "If an upgrade is not immediately possible, restrict access to the MicrositeUrl module or block untrusted incoming requests to reduce exposure", "Validate and sanitize all command arguments before processing to prevent delimiter injection, enforcing strict whitelisting of allowed characters"], "summary": {"action": "Immediate Upgrade", "impact": "Command injection via argument delimiters"}, "threat_synthesis": {"affected_systems": "The affected system is Salesforce Marketing Cloud Engagement, specifically the MicrositeUrl module. All instances running versions published before January 21, 2026 are potentially vulnerable. No other vendors or product versions are listed as affected.", "description_and_impact": "The vulnerability is an improper neutralization of argument delimiters in a command, classified as argument injection. Attackers can manipulate web services protocol commands allowing unauthorized actions or potentially executing arbitrary code. The weakness corresponds to CWE-88 and results in confidentiality or integrity compromise if exploited successfully.", "risk_and_exploitability": "The CVSS score of 9.8 marks this as critical, and although EPSS is low (<1%), the possibility of exploitation exists, especially for privileged users or exposed services. The vulnerability is not currently listed in the CISA KEV catalog. The likely attack vector is remote via web services, with the attacker needing to craft requests that insert unneutralized delimiters into command arguments. Successful exploitation would grant the attacker elevated privileges or command execution within the service context."}}}}, "created": "2026-01-26T11:48:44.965688+00:00", "title": "Improper Neutralization of Argument Delimiters in a Command Leading to Web Services Protocol Manipulation in Salesforce Marketing Cloud Engagement", "updated": "2026-04-18T03:15:35.423614+00:00", "vendors": ["salesforce", "salesforce$PRODUCT$marketing_cloud_engagement"]}