Cyber Resilience

CVE-2026-22583

Critical

Published: 24 January 2026

Published
24 January 2026
Modified
12 February 2026
KEV Added
Patch
CVSS Score v3.1 9.8 CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H
EPSS Score 0.0066 46.7th percentile
Risk Priority 70 floored blend · peak EPSS

Summary

CVE-2026-22583 is a critical-severity Argument Injection (CWE-88) vulnerability in Salesforce Marketing Cloud Engagement. Its CVSS base score is 9.8 (Critical).

Operationally, exploitation aligns with the MITRE ATT&CK technique Exploit Public-Facing Application (T1190); ranked at the 46.7th percentile by exploit likelihood (below the median); it is not currently listed in the CISA KEV catalog.

The strongest mitigations our analysis identified are NIST 800-53 SI-10 (Information Input Validation) and SI-2 (Flaw Remediation).

Deeper analysis

CVE-2026-22583 is an Improper Neutralization of Argument Delimiters in a Command vulnerability, classified as Argument Injection (CWE-88), affecting the CloudPagesUrl module in Salesforce Marketing Cloud Engagement. This flaw enables Web Services Protocol Manipulation and impacts Marketing Cloud Engagement versions prior to January 21st, 2026. Published on January 24, 2026, it carries a CVSS v3.1 base score of 9.8 (AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H), indicating critical severity due to its potential for widespread remote exploitation.

Unauthenticated attackers can exploit this vulnerability remotely over the network with low complexity and without requiring user interaction or privileges. Successful exploitation grants high-impact access to compromise confidentiality, integrity, and availability, potentially allowing arbitrary command execution or protocol manipulation within the affected module.

Salesforce mitigation details are available in their security advisory at https://help.salesforce.com/s/articleView?id=005299346&type=1, with the vulnerability resolved in Marketing Cloud Engagement releases on or after January 21st, 2026. Security practitioners should prioritize patching affected instances to versions post-January 21st, 2026.

OWASP Top 10 for Web (2025)

EU & UK References

Vulnerability details

Improper Neutralization of Argument Delimiters in a Command ('Argument Injection') vulnerability in Salesforce Marketing Cloud Engagement (CloudPagesUrl module) allows Web Services Protocol Manipulation. This issue affects Marketing Cloud Engagement: before January 21st, 2026.

CWE(s)

Related Threats

MITRE ATT&CK Enterprise TechniquesAI

T1190 Exploit Public-Facing Application Initial Access
Adversaries may attempt to exploit a weakness in an Internet-facing host or system to initially access a network.
T1059 Command and Scripting Interpreter Execution
Adversaries may abuse command and script interpreters to execute commands, scripts, or binaries.
Why these techniques?

Argument injection in public-facing CloudPagesUrl module directly enables remote unauthenticated command execution (T1190) and use of command interpreters (T1059).

Confidence: HIGH · MITRE ATT&CK Enterprise v19.0

CVEs Like This One

CVE-2026-22582Same product: Salesforce Marketing Cloud Engagement
CVE-2026-22586Same product: Salesforce Marketing Cloud Engagement
CVE-2026-22585Same product: Salesforce Marketing Cloud Engagement
CVE-2026-22584Same vendor: Salesforce
CVE-2026-3515Shared CWE-88
CVE-2026-44193Shared CWE-88
CVE-2026-44450Shared CWE-88
CVE-2026-26194Shared CWE-88
CVE-2024-47516Shared CWE-88
CVE-2026-2298Shared CWE-88

Affected Assets

salesforce
marketing cloud engagement
≤ 2026-01-21

Mitigating Controls

Mitigating Controls (NIST 800-53 r5) AI

prevent

Mandates timely identification, reporting, and correction of the argument injection flaw in the CloudPagesUrl module via patching to post-January 21st, 2026 releases.

prevent

Directly addresses the improper neutralization of argument delimiters by enforcing input validation mechanisms at entry points to block injection attacks.

prevent

Requires monitoring and implementing vendor security advisories, such as Salesforce's for this CVE, to apply the specific fix promptly.

References