{"dataType": "CVE_RECORD", "dataVersion": "5.2", "cveMetadata": {"cveId": "CVE-2026-2298", "assignerOrgId": "c9b25dee-ae6d-4083-ba23-638c500cc364", "state": "PUBLISHED", "assignerShortName": "Salesforce", "dateReserved": "2026-02-10T16:35:08.344Z", "datePublished": "2026-03-23T19:54:32.967Z", "dateUpdated": "2026-04-29T19:26:59.300Z"}, "containers": {"cna": {"providerMetadata": {"orgId": "c9b25dee-ae6d-4083-ba23-638c500cc364", "shortName": "Salesforce", "dateUpdated": "2026-04-29T19:26:59.300Z"}, "problemTypes": [{"descriptions": [{"lang": "en", "cweId": "CWE-88", "description": "CWE-88 Improper Neutralization of Argument Delimiters in a Command ('Argument Injection')", "type": "CWE"}]}], "impacts": [{"capecId": "CAPEC-278", "descriptions": [{"lang": "en", "value": "CAPEC-278 Web Services Protocol Manipulation"}]}], "affected": [{"vendor": "Salesforce", "product": "Marketing Cloud Engagement", "versions": [{"status": "affected", "version": "0", "lessThan": "January 30th, 2026", "versionType": "date"}], "defaultStatus": "unaffected"}], "descriptions": [{"lang": "en", "value": "Improper Neutralization of Argument Delimiters in a Command ('Argument Injection') vulnerability in Salesforce Marketing Cloud Engagement allows Web Services Protocol Manipulation. This issue affects Marketing Cloud Engagement: before January 30th, 2026.", "supportingMedia": [{"type": "text/html", "base64": false, "value": "<p>Improper Neutralization of Argument Delimiters in a Command ('Argument Injection') vulnerability in Salesforce Marketing Cloud Engagement allows Web Services Protocol Manipulation. This issue affects Marketing Cloud Engagement: before January 30th, 2026.</p>"}]}], "references": [{"url": "https://help.salesforce.com/s/articleView?id=005299346&type=1"}], "credits": [{"lang": "en", "value": "s.shah@slcyber.io", "type": "reporter"}], "source": {"discovery": "UNKNOWN"}, "x_generator": {"engine": "Vulnogram 1.0.1"}}, "adp": [{"metrics": [{"cvssV3_1": {"scope": "UNCHANGED", "version": "3.1", "baseScore": 9.4, "attackVector": "NETWORK", "baseSeverity": "CRITICAL", "vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:L", "integrityImpact": "HIGH", "userInteraction": "NONE", "attackComplexity": "LOW", "availabilityImpact": "LOW", "privilegesRequired": "NONE", "confidentialityImpact": "HIGH"}}, {"other": {"type": "ssvc", "content": {"timestamp": "2026-03-24T14:55:49.902140Z", "id": "CVE-2026-2298", "options": [{"Exploitation": "none"}, {"Automatable": "yes"}, {"Technical Impact": "partial"}], "role": "CISA Coordinator", "version": "2.0.3"}}}], "title": "CISA ADP Vulnrichment", "providerMetadata": {"orgId": "134c704f-9b21-4f2e-91b3-4a467353bcc0", "shortName": "CISA-ADP", "dateUpdated": "2026-03-24T14:56:07.641Z"}}]}}

{"dataType": "CVE_RECORD", "containers": {"adp": [{"title": "CISA ADP Vulnrichment", "metrics": [{"cvssV3_1": {"scope": "UNCHANGED", "version": "3.1", "baseScore": 9.4, "attackVector": "NETWORK", "baseSeverity": "CRITICAL", "vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:L", "integrityImpact": "HIGH", "userInteraction": "NONE", "attackComplexity": "LOW", "availabilityImpact": "LOW", "privilegesRequired": "NONE", "confidentialityImpact": "HIGH"}}, {"other": {"type": "ssvc", "content": {"id": "CVE-2026-2298", "role": "CISA Coordinator", "options": [{"Exploitation": "none"}, {"Automatable": "yes"}, {"Technical Impact": "partial"}], "version": "2.0.3", "timestamp": "2026-03-24T14:55:49.902140Z"}}}], "providerMetadata": {"orgId": "134c704f-9b21-4f2e-91b3-4a467353bcc0", "shortName": "CISA-ADP", "dateUpdated": "2026-03-24T14:54:38.547Z"}}], "cna": {"source": {"discovery": "UNKNOWN"}, "credits": [{"lang": "en", "type": "reporter", "value": "s.shah@slcyber.io"}], "impacts": [{"capecId": "CAPEC-278", "descriptions": [{"lang": "en", "value": "CAPEC-278 Web Services Protocol Manipulation"}]}], "affected": [{"vendor": "Salesforce", "product": "Marketing Cloud Engagement", "versions": [{"status": "affected", "version": "0", "lessThan": "January 30th, 2026", "versionType": "date"}], "defaultStatus": "unaffected"}], "references": [{"url": "https://help.salesforce.com/s/articleView?id=005299346&type=1"}], "x_generator": {"engine": "Vulnogram 1.0.1"}, "descriptions": [{"lang": "en", "value": "Improper Neutralization of Argument Delimiters in a Command ('Argument Injection') vulnerability in Salesforce Marketing Cloud Engagement allows Web Services Protocol Manipulation. This issue affects Marketing Cloud Engagement: before January 30th, 2026.", "supportingMedia": [{"type": "text/html", "value": "<p>Improper Neutralization of Argument Delimiters in a Command ('Argument Injection') vulnerability in Salesforce Marketing Cloud Engagement allows Web Services Protocol Manipulation. This issue affects Marketing Cloud Engagement: before January 30th, 2026.</p>", "base64": false}]}], "problemTypes": [{"descriptions": [{"lang": "en", "type": "CWE", "cweId": "CWE-88", "description": "CWE-88 Improper Neutralization of Argument Delimiters in a Command ('Argument Injection')"}]}], "providerMetadata": {"orgId": "c9b25dee-ae6d-4083-ba23-638c500cc364", "shortName": "Salesforce", "dateUpdated": "2026-04-29T19:26:59.300Z"}}}, "cveMetadata": {"cveId": "CVE-2026-2298", "state": "PUBLISHED", "dateUpdated": "2026-04-29T19:26:59.300Z", "dateReserved": "2026-02-10T16:35:08.344Z", "assignerOrgId": "c9b25dee-ae6d-4083-ba23-638c500cc364", "datePublished": "2026-03-23T19:54:32.967Z", "assignerShortName": "Salesforce"}, "dataVersion": "5.2"}

{"cveTags": [], "descriptions": [{"lang": "en", "value": "Improper Neutralization of Argument Delimiters in a Command ('Argument Injection') vulnerability in Salesforce Marketing Cloud Engagement allows Web Services Protocol Manipulation. This issue affects Marketing Cloud Engagement: before January 30th, 2026."}, {"lang": "es", "value": "Neutralizaci\u00f3n Inadecuada de Delimitadores de Argumentos en un Comando ('Inyecci\u00f3n de Argumentos') vulnerabilidad en Salesforce Marketing Cloud Engagement permite la Manipulaci\u00f3n del Protocolo de Servicios Web. Este problema afecta a Marketing Cloud Engagement: antes del 30 de enero de 2026."}], "id": "CVE-2026-2298", "lastModified": "2026-03-24T15:54:09.400", "metrics": {"cvssMetricV31": [{"cvssData": {"attackComplexity": "LOW", "attackVector": "NETWORK", "availabilityImpact": "LOW", "baseScore": 9.4, "baseSeverity": "CRITICAL", "confidentialityImpact": "HIGH", "integrityImpact": "HIGH", "privilegesRequired": "NONE", "scope": "UNCHANGED", "userInteraction": "NONE", "vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:L", "version": "3.1"}, "exploitabilityScore": 3.9, "impactScore": 5.5, "source": "134c704f-9b21-4f2e-91b3-4a467353bcc0", "type": "Secondary"}]}, "published": "2026-03-23T20:16:25.523", "references": [{"source": "security@salesforce.com", "url": "https://help.salesforce.com/s/articleView?id=005299346&type=1"}], "sourceIdentifier": "security@salesforce.com", "vulnStatus": "Awaiting Analysis", "weaknesses": [{"description": [{"lang": "en", "value": "CWE-88"}], "source": "security@salesforce.com", "type": "Secondary"}]}

{}

{"affected": [{"configurations": [{"platform": null, "status": "affected", "versions": {"scheme": "generic", "value": "[0,January 30th, 2026)"}}], "enrichment": {"confidence": 100.0, "confidence_source": "matching", "scores": [{"score": 100.0, "source": "matching"}]}, "original": {"product": "Marketing Cloud Engagement", "source": "cna", "vendor": "Salesforce"}, "product": "marketing_cloud_engagement", "vendor": "salesforce"}], "analysis": {"en": {"generated_at": "2026-03-24T17:25:28.469761+00:00", "value": {"mitigation_remediation": ["Apply the vendor\u2011released update that removes the command injection flaw, released after January\u202f30\u202f2026.", "If patching cannot be performed immediately, implement rate limiting or access controls for the Marketing Cloud Engagement web services API to reduce exposure.", "Monitor API traffic for anomalous argument patterns that may indicate injection attempts.", "Verify that all instances are updated on or before January\u202f30\u202f2026 to ensure full remediation."], "summary": {"action": "Immediate Patch", "impact": "Command Injection (Remote Code Execution)"}, "threat_synthesis": {"affected_systems": "The vulnerability affects all Salesforce Marketing Cloud Engagement releases dated before January\u202f30,\u202f2026. No further version details are provided, so any instance predating that date is considered vulnerable. The product in question is Salesforce Marketing Cloud Engagement.", "description_and_impact": "Improper neutralization of argument delimiters in Salesforce Marketing Cloud Engagement\u2019s command processing enables attackers to inject malicious content via crafted web service requests. The injected delimiters cause the platform to treat the payload as additional command arguments, allowing unintended command execution that can compromise confidentiality, integrity, or availability. This flaw is identified as a command injection weakness (CWE\u201188).", "risk_and_exploitability": "The vendor assigns a CVSS score of 9.4, indicating critical severity with full network reach and high impact. The current exploit probability is below 1\u202f%, and the flaw is not listed in the known exploited vulnerabilities catalog. The likely attack vector is remote, through the web services API, where malformed request payloads trigger injection. No explicit authentication requirement is mentioned, suggesting that any entity able to access the API could potentially exploit the flaw. The combination of high severity and remote accessibility warrants urgent remediation."}}}}, "created": "2026-03-24T10:32:58.504018+00:00", "title": "Argument Injection via Web Services in Salesforce Marketing Cloud Engagement", "updated": "2026-03-25T20:36:47.872441+00:00", "vendors": ["salesforce", "salesforce$PRODUCT$marketing_cloud_engagement"]}