Home / Vulnerability Intelligence / CVE-2026-2298

CVE-2026-2298 - Vulnerability Analysis

CriticalCVSS: 9.4

Last Updated: March 24, 2026

Salesforce Marketing Cloud Engagement - Command Injection

Published: March 23, 2026Updated: March 24, 2026Remote Exploitable

Overview

Salesforce Marketing Cloud Engagement before January 30th, 2026 contains a command injection caused by improper neutralization of argument delimiters in Web Services Protocol, letting attackers manipulate commands remotely, exploit requires crafted requests.

Severity & Score

Severity: Critical

CVSS Score: 9.4

Impact

Attackers can manipulate commands remotely, potentially leading to arbitrary command execution.

Mitigation

Update to version released after January 30th, 2026 or latest available version.

References

https://help.salesforce.com/s/articleView?id=005299346&type=1

Related Resources

Details

CVE ID: CVE-2026-2298
Severity: Critical
CVSS Score: 9.4
Type: command_injection
Status: unconfirmed

CWE

CWE-88

CVSS Metrics

CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:L