CVE-2026-22582

Critical

Published: 24 January 2026

Published

24 January 2026

Modified

12 February 2026

KEV Added

—

Patch

—

CVSS Score 9.8 CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H

EPSS Score 0.0002 6.8th percentile

Risk Priority 20 60% EPSS · 20% KEV · 20% CVSS

Summary

CVE-2026-22582 is a critical-severity Argument Injection (CWE-88) vulnerability in Salesforce Marketing Cloud Engagement. Its CVSS base score is 9.8 (Critical).

Operationally, exploitation aligns with the MITRE ATT&CK technique Exploit Public-Facing Application (T1190); ranked at the 6.8th percentile by exploit likelihood (below the median); it is not currently listed in the CISA KEV catalog.

The strongest mitigations our analysis identified are NIST 800-53 SI-10 (Information Input Validation) and SI-2 (Flaw Remediation).

Threat & Defense at a Glance

What attackers do: exploitation maps to Exploit Public-Facing Application (T1190). What defenders deploy: see the NIST 800-53 controls recommended below.

Threat & Defense Details

Mitigating Controls (NIST 800-53 r5)AI

SI-2 Flaw Remediation good match

prevent

Directly mitigates this CVE by requiring timely flaw remediation through application of the specified Salesforce Marketing Cloud Engagement patch released on January 21st, 2026.

SI-10 Information Input Validation good match

prevent

Prevents argument injection (CWE-88) by enforcing information input validation and error handling to neutralize argument delimiters in the MicrositeUrl module.

RA-5 Vulnerability Monitoring and Scanning partial match

detect

Enables detection of critical vulnerabilities like CVE-2026-22582 via regular vulnerability scanning of affected systems.

MITRE ATT&CK Enterprise TechniquesAI

T1190 Exploit Public-Facing Application Initial Access

Adversaries may attempt to exploit a weakness in an Internet-facing host or system to initially access a network.

attack.mitre.org →

Why these techniques?

Argument injection (CWE-88) in public-facing MicrositeUrl web service module directly enables remote unauthenticated exploitation of the application.

Confidence: MEDIUM · MITRE ATT&CK Enterprise v18.1

NVD Description

Improper Neutralization of Argument Delimiters in a Command ('Argument Injection') vulnerability in Salesforce Marketing Cloud Engagement (MicrositeUrl module) allows Web Services Protocol Manipulation. This issue affects Marketing Cloud Engagement: before January 21st, 2026.

Deeper analysisAI

CVE-2026-22582 is an Improper Neutralization of Argument Delimiters in a Command, classified as Argument Injection (CWE-88), in the MicrositeUrl module of Salesforce Marketing Cloud Engagement. This vulnerability allows Web Services Protocol Manipulation and affects Marketing Cloud Engagement versions prior to January 21st, 2026. It carries a CVSS v3.1 base score of 9.8 (AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H), marking it as critical due to its potential for severe impacts.

Remote, unauthenticated attackers can exploit this vulnerability over the network with low attack complexity and no user interaction required. Exploitation enables Web Services Protocol Manipulation, potentially leading to high confidentiality, integrity, and availability impacts on affected systems.

The Salesforce security advisory provides mitigation guidance at https://help.salesforce.com/s/articleView?id=005299346&type=1. Affected organizations should apply updates to Marketing Cloud Engagement released on or after January 21st, 2026.