CVE-2026-22583

Critical

Published: 24 January 2026

Published

24 January 2026

Modified

12 February 2026

KEV Added

—

Patch

—

CVSS Score 9.8 CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H

EPSS Score 0.0002 6.8th percentile

Risk Priority 20 60% EPSS · 20% KEV · 20% CVSS

Summary

CVE-2026-22583 is a critical-severity Argument Injection (CWE-88) vulnerability in Salesforce Marketing Cloud Engagement. Its CVSS base score is 9.8 (Critical).

Operationally, exploitation aligns with the MITRE ATT&CK technique Exploit Public-Facing Application (T1190); ranked at the 6.8th percentile by exploit likelihood (below the median); it is not currently listed in the CISA KEV catalog.

The strongest mitigations our analysis identified are NIST 800-53 SI-10 (Information Input Validation) and SI-2 (Flaw Remediation).

Threat & Defense at a Glance

What attackers do: exploitation maps to Exploit Public-Facing Application (T1190) and 1 other technique. What defenders deploy: see the NIST 800-53 controls recommended below.

Threat & Defense Details

Mitigating Controls (NIST 800-53 r5)AI

SI-2 Flaw Remediation good match

prevent

Mandates timely identification, reporting, and correction of the argument injection flaw in the CloudPagesUrl module via patching to post-January 21st, 2026 releases.

SI-10 Information Input Validation good match

prevent

Directly addresses the improper neutralization of argument delimiters by enforcing input validation mechanisms at entry points to block injection attacks.

SI-5 Security Alerts, Advisories, and Directives good match

prevent

Requires monitoring and implementing vendor security advisories, such as Salesforce's for this CVE, to apply the specific fix promptly.

MITRE ATT&CK Enterprise TechniquesAI

T1190 Exploit Public-Facing Application Initial Access

Adversaries may attempt to exploit a weakness in an Internet-facing host or system to initially access a network.

attack.mitre.org →

T1059 Command and Scripting Interpreter Execution

Adversaries may abuse command and script interpreters to execute commands, scripts, or binaries.

attack.mitre.org →

Why these techniques?

Argument injection in public-facing CloudPagesUrl module directly enables remote unauthenticated command execution (T1190) and use of command interpreters (T1059).

Confidence: HIGH · MITRE ATT&CK Enterprise v18.1

NVD Description

Improper Neutralization of Argument Delimiters in a Command ('Argument Injection') vulnerability in Salesforce Marketing Cloud Engagement (CloudPagesUrl module) allows Web Services Protocol Manipulation. This issue affects Marketing Cloud Engagement: before January 21st, 2026.

Deeper analysisAI

CVE-2026-22583 is an Improper Neutralization of Argument Delimiters in a Command vulnerability, classified as Argument Injection (CWE-88), affecting the CloudPagesUrl module in Salesforce Marketing Cloud Engagement. This flaw enables Web Services Protocol Manipulation and impacts Marketing Cloud Engagement versions prior to January 21st, 2026. Published on January 24, 2026, it carries a CVSS v3.1 base score of 9.8 (AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H), indicating critical severity due to its potential for widespread remote exploitation.

Unauthenticated attackers can exploit this vulnerability remotely over the network with low complexity and without requiring user interaction or privileges. Successful exploitation grants high-impact access to compromise confidentiality, integrity, and availability, potentially allowing arbitrary command execution or protocol manipulation within the affected module.

Salesforce mitigation details are available in their security advisory at https://help.salesforce.com/s/articleView?id=005299346&type=1, with the vulnerability resolved in Marketing Cloud Engagement releases on or after January 21st, 2026. Security practitioners should prioritize patching affected instances to versions post-January 21st, 2026.