Cyber Resilience

CVE-2026-22582

Critical

Published: 24 January 2026

Published
24 January 2026
Modified
12 February 2026
KEV Added
Patch
CVSS Score v3.1 9.8 CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H
EPSS Score 0.0066 46.7th percentile
Risk Priority 70 floored blend · peak EPSS

Summary

CVE-2026-22582 is a critical-severity Argument Injection (CWE-88) vulnerability in Salesforce Marketing Cloud Engagement. Its CVSS base score is 9.8 (Critical).

Operationally, exploitation aligns with the MITRE ATT&CK technique Exploit Public-Facing Application (T1190); ranked at the 46.7th percentile by exploit likelihood (below the median); it is not currently listed in the CISA KEV catalog.

The strongest mitigations our analysis identified are NIST 800-53 SI-10 (Information Input Validation) and SI-2 (Flaw Remediation).

Deeper analysis

CVE-2026-22582 is an Improper Neutralization of Argument Delimiters in a Command, classified as Argument Injection (CWE-88), in the MicrositeUrl module of Salesforce Marketing Cloud Engagement. This vulnerability allows Web Services Protocol Manipulation and affects Marketing Cloud Engagement versions prior to January 21st, 2026. It carries a CVSS v3.1 base score of 9.8 (AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H), marking it as critical due to its potential for severe impacts.

Remote, unauthenticated attackers can exploit this vulnerability over the network with low attack complexity and no user interaction required. Exploitation enables Web Services Protocol Manipulation, potentially leading to high confidentiality, integrity, and availability impacts on affected systems.

The Salesforce security advisory provides mitigation guidance at https://help.salesforce.com/s/articleView?id=005299346&type=1. Affected organizations should apply updates to Marketing Cloud Engagement released on or after January 21st, 2026.

OWASP Top 10 for Web (2025)

EU & UK References

Vulnerability details

Improper Neutralization of Argument Delimiters in a Command ('Argument Injection') vulnerability in Salesforce Marketing Cloud Engagement (MicrositeUrl module) allows Web Services Protocol Manipulation. This issue affects Marketing Cloud Engagement: before January 21st, 2026.

CWE(s)

Related Threats

MITRE ATT&CK Enterprise TechniquesAI

T1190 Exploit Public-Facing Application Initial Access
Adversaries may attempt to exploit a weakness in an Internet-facing host or system to initially access a network.
Why these techniques?

Argument injection (CWE-88) in public-facing MicrositeUrl web service module directly enables remote unauthenticated exploitation of the application.

Confidence: MEDIUM · MITRE ATT&CK Enterprise v19.0

CVEs Like This One

CVE-2026-22583Same product: Salesforce Marketing Cloud Engagement
CVE-2026-22586Same product: Salesforce Marketing Cloud Engagement
CVE-2026-22585Same product: Salesforce Marketing Cloud Engagement
CVE-2026-22584Same vendor: Salesforce
CVE-2026-44193Shared CWE-88
CVE-2026-26194Shared CWE-88
CVE-2024-47516Shared CWE-88
CVE-2026-2298Shared CWE-88
CVE-2026-44449Shared CWE-88
CVE-2026-24126Shared CWE-88

Affected Assets

salesforce
marketing cloud engagement
≤ 2026-01-21

Mitigating Controls

Mitigating Controls (NIST 800-53 r5) AI

prevent

Directly mitigates this CVE by requiring timely flaw remediation through application of the specified Salesforce Marketing Cloud Engagement patch released on January 21st, 2026.

prevent

Prevents argument injection (CWE-88) by enforcing information input validation and error handling to neutralize argument delimiters in the MicrositeUrl module.

detect

Enables detection of critical vulnerabilities like CVE-2026-22582 via regular vulnerability scanning of affected systems.

References