CVE-2026-22582

Name of the Vulnerable Software and Affected Versions Salesforce Marketing Cloud Engagement versions prior to January 21st, 2026

Description Improper Neutralization of Argument Delimiters in a Command, also known as Argument Injection, in the MicrositeUrl module allows Web Services Protocol Manipulation. Argument Injection occurs when an application fails to properly sanitize user-supplied input used as a command-line argument, allowing an attacker to inject additional arguments to alter the command's behavior.

Recommendations Update Salesforce Marketing Cloud Engagement to a version released on or after January 21st, 2026. As a temporary workaround, restrict the use of the MicrositeUrl module to minimize the risk of exploitation.