Loading

Vulnerabilities Addressed in Marketing Cloud Engagement

Date de publication: Mar 23, 2026
Description

Salesforce Security identified and resolved Web Services Protocol Manipulation vulnerabilities in Marketing Cloud Engagement (MCE) and deployed enhanced AES-GCM encryption across our platform. For Marketing Cloud Engagement customers, this deployment was completed on January 21, 2026 at 23:00 UTC. Links generated in emails sent after this date use the new encryption and are not vulnerable to these issues.

Title: CVE-2026-22585

Description:
Use of a Broken or Risky Cryptographic Algorithm vulnerability in Salesforce Marketing Cloud Engagement (Clicks, CloudPages, Forward to a Friend, Profile Center, Subscription Center, Unsub Center, View As Webpage modules) allowed Web Services Protocol Manipulation. This issue affected Marketing Cloud Engagement before January 21, 2026.

CVSS: 8.7 HIGH 


Title: CVE-2026-22586

Description:
Hard-coded Cryptographic Key vulnerability in Salesforce Marketing Cloud Engagement (Clicks, CloudPages, Forward to a Friend, Profile Center, Subscription Center, Unsub Center, View As Webpage modules) allowed Web Services Protocol Manipulation. This issue affected Marketing Cloud Engagement before January 21, 2026.

CVSS: 8.7 HIGH

Title: CVE-2026-22582

Description:
Improper Neutralization of Argument Delimiters in a Command ('Argument Injection') vulnerability in Salesforce Marketing Cloud Engagement (MicrositeUrl module) allowed Web Services Protocol Manipulation. This issue affected Marketing Cloud Engagement before January 21, 2026.

CVSS: 8.7 HIGH

Title: CVE-2026-22583

Description:
Improper Neutralization of Argument Delimiters in a Command ('Argument Injection') vulnerability in Salesforce Marketing Cloud Engagement (CloudPagesUrl module) allowed Web Services Protocol Manipulation. This issue affected Marketing Cloud Engagement: before January 21, 2026.

 

CVSS: 8.7 HIGH

 

Title: CVE-2026-2298

 

Description:

Improper Neutralization of Argument Delimiters in a Command ('Argument Injection') vulnerability in Salesforce Marketing Cloud Engagement allowed Web Services Protocol Manipulation. This issue affected Marketing Cloud Engagement before January 30, 2026.

 

CVSS: 8.7 HIGH

Numéro d’article de la base de connaissances

005299346

 
Chargement
Salesforce Help | Article