CVE-2026-2298 PUBLISHED

Assigner: Salesforce
Reserved: 10.02.2026 Published: 23.03.2026 Updated: 24.03.2026

Improper Neutralization of Argument Delimiters in a Command ('Argument Injection') vulnerability in Salesforce Marketing Cloud Engagement allows Web Services Protocol Manipulation. This issue affects Marketing Cloud Engagement: before January 30th, 2026.

Product Status

Vendor	Salesforce
Product	Marketing Cloud Engagement
Versions	Default: unaffected affected from 0 to January 30th, 2026 (excl.)

References

https://help.salesforce.com/s/articleView?id=005299346&type=1

Problem Types

CWE-88 Improper Neutralization of Argument Delimiters in a Command ('Argument Injection') CWE

Impacts

CAPEC-278 Web Services Protocol Manipulation