CVE-2026-22582 PUBLISHED

Assigner: Salesforce
Reserved: 07.01.2026 Published: 24.01.2026 Updated: 24.01.2026

Improper Neutralization of Argument Delimiters in a Command ('Argument Injection') vulnerability in Salesforce Marketing Cloud Engagement (MicrositeUrl module) allows Web Services Protocol Manipulation. This issue affects Marketing Cloud Engagement: before January 21st, 2026.

Product Status

Vendor	Salesforce
Product	Marketing Cloud Engagement
Versions	Default: unaffected affected from 0 to January 21, 2026 (excl.)

References

https://help.salesforce.com/s/articleView?id=005299346&type=1

Problem Types

CWE-88 Improper Neutralization of Argument Delimiters in a Command ('Argument Injection') CWE

Impacts

CAPEC-278 Web Services Protocol Manipulation