Primary

Context

Salesforce Marketing Cloud Engagement Argument Injection Vulnerability in CloudPagesUrl Module Allowing Web Services Protocol Manipulation

Vulnerability

A vulnerability allowing argument injection has been identified in the CloudPagesUrl module of Salesforce Marketing Cloud Engagement. This issue arises from improper neutralization of argument delimiters, which can be exploited to manipulate web services protocols. The vulnerability affects Marketing Cloud Engagement versions prior to January 21, 2026.

Impact

Exploitation of this vulnerability could lead to unauthorized manipulation of web services protocols, potentially allowing for further attacks or exploitation of other vulnerabilities.

Remediation

Salesforce has deployed a patch for this vulnerability, and Marketing Cloud Engagement customers can ensure they are no longer vulnerable by using links generated after January 21, 2026, at 23:00 UTC.

Added: Jan 24, 2026, 1:24 AM

Updated: Jan 24, 2026, 1:24 AM

Vulnerability Rating

Custom Algorithm

spread

0.0

impact

1.0

exploitability

7.4

remediation

0.0

relevance

2.3

threat

0.0

urgency

2.9

incentive

4.2

Our algorithm analyzes dozens of metrics to generate these 8 key vulnerability categories, which are then combined to calculate the overall risk score.

Vulnerability Rating

Custom Algorithm

spread

0.0

impact

1.0

exploitability

7.4

remediation

0.0

relevance

2.3

threat

0.0

urgency

2.9

incentive

4.2

Our algorithm analyzes dozens of metrics to generate these 8 key vulnerability categories, which are then combined to calculate the overall risk score.

Salesforce Marketing Cloud Engagement Argument Injection Vulnerability in CloudPagesUrl Module Allowing Web Services Protocol Manipulation

Vulnerability

Impact

Remediation

Affected Products

CVSS Scores

References

Vulnerability Rating

Vulnerability Rating