Cyber Resilience

CVE-2026-2298

Critical

Published: 23 March 2026

Published
23 March 2026
Modified
24 March 2026
KEV Added
Patch
CVSS Score v3.1 9.4 CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:L
EPSS Score 0.0041 32.9th percentile
Risk Priority 70 floored blend · peak EPSS

Summary

CVE-2026-2298 is a critical-severity Argument Injection (CWE-88) vulnerability in Salesforce Marketing Cloud (inferred from references). Its CVSS base score is 9.4 (Critical).

Operationally, exploitation aligns with the MITRE ATT&CK technique Exploit Public-Facing Application (T1190); ranked at the 32.9th percentile by exploit likelihood (below the median); it is not currently listed in the CISA KEV catalog.

The strongest mitigations our analysis identified are NIST 800-53 SI-10 (Information Input Validation) and SI-2 (Flaw Remediation).

Deeper analysis

CVE-2026-2298 is an Improper Neutralization of Argument Delimiters in a Command, classified as Argument Injection (CWE-88), affecting Salesforce Marketing Cloud Engagement. The vulnerability enables Web Services Protocol Manipulation and impacts versions of Marketing Cloud Engagement prior to January 30th, 2026. It was published on 2026-03-23 and carries a CVSS v3.1 base score of 9.4 (AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:L).

The vulnerability can be exploited by unauthenticated attackers over the network with low attack complexity and no user interaction required. Successful exploitation grants high-impact access to confidential data and allows significant integrity violations, such as command alteration, with a low impact on availability and no scope change.

Salesforce provides mitigation guidance in their security advisory at https://help.salesforce.com/s/articleView?id=005299346&type=1.

OWASP Top 10 for Web (2025)

EU & UK References

Vulnerability details

Improper Neutralization of Argument Delimiters in a Command ('Argument Injection') vulnerability in Salesforce Marketing Cloud Engagement allows Web Services Protocol Manipulation. This issue affects Marketing Cloud Engagement: before January 30th, 2026.

CWE(s)

Related Threats

MITRE ATT&CK Enterprise TechniquesAI

T1190 Exploit Public-Facing Application Initial Access
Adversaries may attempt to exploit a weakness in an Internet-facing host or system to initially access a network.
Why these techniques?

Argument injection in public-facing Salesforce Marketing Cloud web service directly enables remote unauthenticated exploitation of the application.

Confidence: HIGH · MITRE ATT&CK Enterprise v19.0

CVEs Like This One

CVE-2026-44193Shared CWE-88
CVE-2026-22582Shared CWE-88
CVE-2026-26194Shared CWE-88
CVE-2024-47516Shared CWE-88
CVE-2026-44449Shared CWE-88
CVE-2026-24126Shared CWE-88
CVE-2026-27613Shared CWE-88
CVE-2026-26514Shared CWE-88
CVE-2025-21613Shared CWE-88
CVE-2026-45158Shared CWE-88

Affected Assets

Salesforce
Marketing Cloud
inferred from references and description; NVD did not file a CPE for this CVE

Mitigating Controls

Mitigating Controls (NIST 800-53 r5) AI

prevent

Directly remediates the specific argument injection flaw in Salesforce Marketing Cloud Engagement by applying the vendor patch before January 30th, 2026.

prevent

Prevents argument injection by validating and neutralizing argument delimiters in web services inputs to the Marketing Cloud Engagement system.

prevent

Restricts web services inputs to exclude or limit argument delimiters, blocking injection attempts in Marketing Cloud Engagement.

References