Salesforce

CVE VENDORS PRODUCTS UPDATED PUBLISHED CVSS
CVE-2026-34951 1Salesforce 1Workbench Apr 14, 2026 Apr 6, 2026 5.1 MEDIUM· v4 6.1 MEDIUM· v3 N/A· v2 Workbench is a suite of tools for administrators and developers to interact with Salesforce.com organizations via the Force.com APIs. Prior to 65.0.0, Workbench contains a reflected cross-site scripting vulnerability via...Show more Workbench is a suite of tools for administrators and developers to interact with Salesforce.com organizations via the Force.com APIs. Prior to 65.0.0, Workbench contains a reflected cross-site scripting vulnerability via the footerScripts parameter, which does not sanitize user-supplied input before rendering it in the page response. Improper neutralization of input during web page generation ('cross-site scripting') vulnerability in Workbench allows XSS Targeting Error Pages. This vulnerability is fixed in 65.0.0.Show less
CVE-2026-22586 1Salesforce 1Marketing Cloud Engagement May 15, 2026 Jan 24, 2026 N/A· v4 9.8 CRITICAL· v3 N/A· v2 Hard-coded Cryptographic Key vulnerability in Salesforce Marketing Cloud Engagement (CloudPages, Forward to a Friend, Profile Center, Subscription Center, Unsub Center, View As Webpage modules) allows Web Services Protoc...Show more Hard-coded Cryptographic Key vulnerability in Salesforce Marketing Cloud Engagement (CloudPages, Forward to a Friend, Profile Center, Subscription Center, Unsub Center, View As Webpage modules) allows Web Services Protocol Manipulation. This issue affects Marketing Cloud Engagement: before January 21st, 2026.Show less
CVE-2026-22585 1Salesforce 1Marketing Cloud Engagement Feb 12, 2026 Jan 24, 2026 N/A· v4 9.8 CRITICAL· v3 N/A· v2 Use of a Broken or Risky Cryptographic Algorithm vulnerability in Salesforce Marketing Cloud Engagement (CloudPages, Forward to a Friend, Profile Center, Subscription Center, Unsub Center, View As Webpage modules) allows...Show more Use of a Broken or Risky Cryptographic Algorithm vulnerability in Salesforce Marketing Cloud Engagement (CloudPages, Forward to a Friend, Profile Center, Subscription Center, Unsub Center, View As Webpage modules) allows Web Services Protocol Manipulation. This issue affects Marketing Cloud Engagement: before January 21st, 2026.Show less
CVE-2026-22583 1Salesforce 1Marketing Cloud Engagement Feb 12, 2026 Jan 24, 2026 N/A· v4 9.8 CRITICAL· v3 N/A· v2 Improper Neutralization of Argument Delimiters in a Command ('Argument Injection') vulnerability in Salesforce Marketing Cloud Engagement (CloudPagesUrl module) allows Web Services Protocol Manipulation. This issue affec...Show more Improper Neutralization of Argument Delimiters in a Command ('Argument Injection') vulnerability in Salesforce Marketing Cloud Engagement (CloudPagesUrl module) allows Web Services Protocol Manipulation. This issue affects Marketing Cloud Engagement: before January 21st, 2026.Show less
CVE-2026-22582 1Salesforce 1Marketing Cloud Engagement Feb 12, 2026 Jan 24, 2026 N/A· v4 9.8 CRITICAL· v3 N/A· v2 Improper Neutralization of Argument Delimiters in a Command ('Argument Injection') vulnerability in Salesforce Marketing Cloud Engagement (MicrositeUrl module) allows Web Services Protocol Manipulation. This issue affect...Show more Improper Neutralization of Argument Delimiters in a Command ('Argument Injection') vulnerability in Salesforce Marketing Cloud Engagement (MicrositeUrl module) allows Web Services Protocol Manipulation. This issue affects Marketing Cloud Engagement: before January 21st, 2026.Show less
CVE-2026-22584 1Salesforce 1Uni2ts Jan 22, 2026 Jan 9, 2026 N/A· v4 9.8 CRITICAL· v3 N/A· v2 Improper Control of Generation of Code ('Code Injection') vulnerability in Salesforce Uni2TS on MacOS, Windows, Linux allows Leverage Executable Code in Non-Executable Files.This issue affects Uni2TS: through 1.2.0.
CVE-2025-64322 1Salesforce 1Agentforce Vibes Feb 4, 2026 Nov 4, 2025 N/A· v4 5.3 MEDIUM· v3 N/A· v2 Incorrect Permission Assignment for Critical Resource vulnerability in Salesforce Agentforce Vibes Extension allows Manipulating Writeable Configuration Files.This issue affects Agentforce Vibes Extension: before 3.3.0.
CVE-2025-64321 1Salesforce 1Agentforce Vibes Feb 4, 2026 Nov 4, 2025 N/A· v4 5.3 MEDIUM· v3 N/A· v2 Improper Neutralization of Input Used for LLM Prompting vulnerability in Salesforce Agentforce Vibes Extension allows Manipulating Writeable Configuration Files.This issue affects Agentforce Vibes Extension: before 3.3.0...Show more Improper Neutralization of Input Used for LLM Prompting vulnerability in Salesforce Agentforce Vibes Extension allows Manipulating Writeable Configuration Files.This issue affects Agentforce Vibes Extension: before 3.3.0.Show less
CVE-2025-64320 1Salesforce 1Agentforce Vibes Feb 4, 2026 Nov 4, 2025 N/A· v4 6.5 MEDIUM· v3 N/A· v2 Improper Neutralization of Input Used for LLM Prompting vulnerability in Salesforce Agentforce Vibes Extension allows Code Injection.This issue affects Agentforce Vibes Extension: before 3.2.0.
CVE-2025-64319 1Salesforce 1Mulesoft Anypoint Code Builder Feb 4, 2026 Nov 4, 2025 N/A· v4 5.3 MEDIUM· v3 N/A· v2 Incorrect Permission Assignment for Critical Resource vulnerability in Salesforce Mulesoft Anypoint Code Builder allows Manipulating Writeable Configuration Files.This issue affects Mulesoft Anypoint Code Builder: before...Show more Incorrect Permission Assignment for Critical Resource vulnerability in Salesforce Mulesoft Anypoint Code Builder allows Manipulating Writeable Configuration Files.This issue affects Mulesoft Anypoint Code Builder: before 1.12.1Show less
CVE-2025-64318 1Salesforce 1Mulesoft Anypoint Code Builder Feb 4, 2026 Nov 4, 2025 N/A· v4 5.3 MEDIUM· v3 N/A· v2 Improper Neutralization of Input Used for LLM Prompting vulnerability in Salesforce Mulesoft Anypoint Code Builder allows Manipulating Writeable Configuration Files.This issue affects Mulesoft Anypoint Code Builder: befo...Show more Improper Neutralization of Input Used for LLM Prompting vulnerability in Salesforce Mulesoft Anypoint Code Builder allows Manipulating Writeable Configuration Files.This issue affects Mulesoft Anypoint Code Builder: before 1.12.1.Show less
CVE-2025-10875 1Salesforce 1Mulesoft Anypoint Code Builder Feb 4, 2026 Nov 4, 2025 N/A· v4 6.5 MEDIUM· v3 N/A· v2 Improper Neutralization of Input Used for LLM Prompting vulnerability in Salesforce Mulesoft Anypoint Code Builder allows Code Injection.This issue affects Mulesoft Anypoint Code Builder: before 1.11.6.
CVE-2023-26136 1Salesforce 1Tough Cookie Nov 21, 2024 Jul 1, 2023 N/A· v4 9.8 CRITICAL· v3 N/A· v2 Versions of the package tough-cookie before 4.1.3 are vulnerable to Prototype Pollution due to improper handling of Cookies when using CookieJar in rejectPublicSuffixes=false mode. This issue arises from the manner in wh...Show more Versions of the package tough-cookie before 4.1.3 are vulnerable to Prototype Pollution due to improper handling of Cookies when using CookieJar in rejectPublicSuffixes=false mode. This issue arises from the manner in which the objects are initialized.Show less
CVE-2016-15012 1Salesforce 1Mobile Software Development Kit Nov 21, 2024 Jan 7, 2023 N/A· v4 9.8 CRITICAL· v3 5.2 MEDIUM· v2 UNSUPPORTED WHEN ASSIGNED A vulnerability was found in forcedotcom SalesforceMobileSDK-Windows up to 4.x. It has been rated as critical. This issue affects the function ComputeCountSql of the file SalesforceSDK/Sma...Show more UNSUPPORTED WHEN ASSIGNED A vulnerability was found in forcedotcom SalesforceMobileSDK-Windows up to 4.x. It has been rated as critical. This issue affects the function ComputeCountSql of the file SalesforceSDK/SmartStore/Store/QuerySpec.cs. The manipulation leads to sql injection. Upgrading to version 5.0.0 is able to address this issue. The patch is named 83b3e91e0c1e84873a6d3ca3c5887eb5b4f5a3d8. It is recommended to upgrade the affected component. The associated identifier of this vulnerability is VDB-217619. NOTE: This vulnerability only affects products that are no longer supported by the maintainer.Show less
CVE-2021-1630 1Salesforce 1Mule Nov 21, 2024 Aug 5, 2021 N/A· v4 7.5 HIGH· v3 5.0 MEDIUM· v2 XML external entity (XXE) vulnerability affecting certain versions of a Mule runtime component that may affect CloudHub, GovCloud, Runtime Fabric, Pivotal Cloud Foundry, Private Cloud Edition, and on-premise customers.
CVE-2021-1628 1Salesforce 1Mule Nov 21, 2024 Mar 26, 2021 N/A· v4 9.8 CRITICAL· v3 7.5 HIGH· v2 MuleSoft is aware of a XML External Entity (XXE) vulnerability affecting certain versions of a Mule runtime component that may affect both CloudHub and on-premise customers. Affected versions: Mule 4.x runtime released b...Show more MuleSoft is aware of a XML External Entity (XXE) vulnerability affecting certain versions of a Mule runtime component that may affect both CloudHub and on-premise customers. Affected versions: Mule 4.x runtime released before February 2, 2021.Show less
CVE-2021-1627 1Salesforce 1Mule Nov 21, 2024 Mar 26, 2021 N/A· v4 9.8 CRITICAL· v3 7.5 HIGH· v2 MuleSoft is aware of a Server Side Request Forgery vulnerability affecting certain versions of a Mule runtime component that may affect both CloudHub and on-premise customers. This affects: Mule 3.8.x,3.9.x,4.x runtime r...Show more MuleSoft is aware of a Server Side Request Forgery vulnerability affecting certain versions of a Mule runtime component that may affect both CloudHub and on-premise customers. This affects: Mule 3.8.x,3.9.x,4.x runtime released before February 2, 2021.Show less
CVE-2021-1626 1Salesforce 1Mule Nov 21, 2024 Mar 26, 2021 N/A· v4 9.8 CRITICAL· v3 7.5 HIGH· v2 MuleSoft is aware of a Remote Code Execution vulnerability affecting certain versions of a Mule runtime component that may affect both CloudHub and on-premise customers. Versions affected: Mule 4.1.x and 4.2.x runtime re...Show more MuleSoft is aware of a Remote Code Execution vulnerability affecting certain versions of a Mule runtime component that may affect both CloudHub and on-premise customers. Versions affected: Mule 4.1.x and 4.2.x runtime released before February 2, 2021.Show less
CVE-2016-1000232 3Ibm RedhatSalesforce 3Api Connect Openshift Container PlatformTough Cookie Nov 21, 2024 Sep 5, 2018 N/A· v4 5.3 MEDIUM· v3 5.0 MEDIUM· v2 NodeJS Tough-Cookie version 2.2.2 contains a Regular Expression Parsing vulnerability in HTTP request Cookie Header parsing that can result in Denial of Service. This attack appear to be exploitable via Custom HTTP heade...Show more NodeJS Tough-Cookie version 2.2.2 contains a Regular Expression Parsing vulnerability in HTTP request Cookie Header parsing that can result in Denial of Service. This attack appear to be exploitable via Custom HTTP header passed by client. This vulnerability appears to have been fixed in 2.3.0.Show less
CVE-2017-15010 1Salesforce 1Tough Cookie May 13, 2026 Oct 4, 2017 N/A· v4 7.5 HIGH· v3 5.0 MEDIUM· v2 A ReDoS (regular expression denial of service) flaw was found in the tough-cookie module before 2.3.3 for Node.js. An attacker that is able to make an HTTP request using a specially crafted cookie may cause the applicati...Show more A ReDoS (regular expression denial of service) flaw was found in the tough-cookie module before 2.3.3 for Node.js. An attacker that is able to make an HTTP request using a specially crafted cookie may cause the application to consume an excessive amount of CPU.Show less