Cyber Resilience

CVE-2026-22584

CriticalRCE

Published: 09 January 2026

Published
09 January 2026
Modified
22 January 2026
KEV Added
Patch
CVSS Score v3.1 9.8 CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H
EPSS Score 0.0037 28.9th percentile
Risk Priority 70 floored blend · peak EPSS

Summary

CVE-2026-22584 is a critical-severity Code Injection (CWE-94) vulnerability in Salesforce Uni2Ts. Its CVSS base score is 9.8 (Critical).

Operationally, exploitation aligns with the MITRE ATT&CK technique Exploit Public-Facing Application (T1190); ranked at the 28.9th percentile by exploit likelihood (below the median); it is not currently listed in the CISA KEV catalog.

The strongest mitigations our analysis identified are NIST 800-53 SI-10 (Information Input Validation) and SI-16 (Memory Protection).

Deeper analysis

CVE-2026-22584 is an Improper Control of Generation of Code ('Code Injection') vulnerability, classified as CWE-94, affecting Salesforce Uni2TS on MacOS, Windows, and Linux. The issue, published on 2026-01-09T22:16:01.160, enables attackers to leverage executable code in non-executable files and impacts Uni2TS versions through 1.2.0. It carries a CVSS v3.1 base score of 9.8 (AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H), marking it as critical severity.

Remote attackers can exploit this vulnerability over the network with low complexity, requiring no privileges or user interaction and without changing scope. Successful exploitation results in high impacts to confidentiality, integrity, and availability, potentially allowing arbitrary code execution and full system compromise.

Salesforce provides mitigation guidance in their security advisory at https://help.salesforce.com/s/articleView?id=005239354&type=1.

OWASP Top 10 for Web (2025)

EU & UK References

Vulnerability details

Improper Control of Generation of Code ('Code Injection') vulnerability in Salesforce Uni2TS on MacOS, Windows, Linux allows Leverage Executable Code in Non-Executable Files.This issue affects Uni2TS: through 1.2.0.

CWE(s)

Related Threats

Threat-Actor AttributionAI

Active Exploitation of Microsoft SharePoint Vulnerabilities

MITRE ATT&CK Enterprise TechniquesAI

T1190 Exploit Public-Facing Application Initial Access
Adversaries may attempt to exploit a weakness in an Internet-facing host or system to initially access a network.
Why these techniques?

Code injection (CWE-94) vulnerability with network vector, no auth/UI required, directly enables remote arbitrary code execution via exploitation of a public-facing application.

Confidence: HIGH · MITRE ATT&CK Enterprise v19.0

CVEs Like This One

CVE-2026-22586Same vendor: Salesforce
CVE-2026-22582Same vendor: Salesforce
CVE-2026-22585Same vendor: Salesforce
CVE-2026-41229Shared CWE-94
CVE-2026-44262Shared CWE-94
CVE-2026-40563Shared CWE-94
CVE-2024-32641Shared CWE-94
CVE-2025-71243Shared CWE-94
CVE-2026-2052Shared CWE-94
CVE-2026-9170Shared CWE-94

Affected Assets

salesforce
uni2ts
≤ 2.0.0

Mitigating Controls

Mitigating Controls (NIST 800-53 r5) AI

prevent

Requires timely flaw remediation through patching Salesforce Uni2TS beyond version 1.2.0 to eliminate the specific code injection vulnerability.

prevent

Enforces validation of information inputs to prevent improper code generation and injection in Uni2TS.

prevent

Implements memory protection safeguards like DEP to block execution of injected code from non-executable files leveraged by the Uni2TS vulnerability.

References