Salesforce Salesforce

  1. Vendors
  2. Salesforce

Don't miss out!

Thousands of developers use stack.watch to stay informed.
Get an email whenever new security vulnerabilities are reported in any Salesforce product.

RSS Feeds for Salesforce security vulnerabilities

Create a CVE RSS feed including security vulnerabilities found in Salesforce products with stack.watch. Just hit watch, then grab your custom RSS feed url.

Products by Salesforce Sorted by Most Security Vulnerabilities since 2018

Salesforce Mule4 vulnerabilities

Salesforce Agentforce Vibes Extension3 vulnerabilities

Salesforce Mulesoft Anypoint Code Builder3 vulnerabilities

Salesforce Mobile Software Development Kit1 vulnerability

Salesforce Cli1 vulnerability

Salesforce Tough Cookie1 vulnerability

Salesforce Uni2ts1 vulnerability

By the Year

In 2026 there have been 6 vulnerabilities in Salesforce with an average score of 9.7 out of ten. Last year, in 2025 Salesforce had 8 security vulnerabilities published. If vulnerabilities keep coming in at the current rate, it appears that number of security vulnerabilities in Salesforce in 2026 could surpass last years number. However, the average CVE base score of the vulnerabilities in 2026 is greater by 3.33.




Year Vulnerabilities Average Score
2026 6 9.73
2025 8 6.40
2024 0 0.00
2023 2 9.80
2022 0 0.00
2021 4 0.00

It may take a day or so for new Salesforce vulnerabilities to show up in the stats or in the list of recent security vulnerabilities. Additionally vulnerabilities may be tagged under a different product or component name.

Recent Salesforce Security Vulnerabilities

CVE Date Vulnerability Products
CVE-2026-2298 Mar 23, 2026
Salesforce Marketing Cloud Eng Arg Injection via Web Services Proto Manip Improper Neutralization of Argument Delimiters in a Command ('Argument Injection') vulnerability in Salesforce Marketing Cloud Engagement allows Web Services Protocol Manipulation. This issue affects Marketing Cloud Engagement: before January 30th, 2026.
CVE-2026-22583 Jan 24, 2026
Argument Injection in Salesforce Marketing Cloud CloudPagesUrl Improper Neutralization of Argument Delimiters in a Command ('Argument Injection') vulnerability in Salesforce Marketing Cloud Engagement (CloudPagesUrl module) allows Web Services Protocol Manipulation. This issue affects Marketing Cloud Engagement: before January 21st, 2026.
CVE-2026-22582 Jan 24, 2026
Argument Injection via Delimiter in SFMC Engagement MicrositeUrl Improper Neutralization of Argument Delimiters in a Command ('Argument Injection') vulnerability in Salesforce Marketing Cloud Engagement (MicrositeUrl module) allows Web Services Protocol Manipulation. This issue affects Marketing Cloud Engagement: before January 21st, 2026.
CVE-2026-22586 Jan 24, 2026
Hardcoded Crypto Key in Salesforce MKTG Cloud, WSP Manipulation Hard-coded Cryptographic Key vulnerability in Salesforce Marketing Cloud Engagement (CloudPages, Forward to a Friend, Profile Center, Subscription Center, Unsub Center, View As Webpage modules) allows Web Services Protocol Manipulation. This issue affects Marketing Cloud Engagement: before January 21st, 2026.
CVE-2026-22585 Jan 24, 2026
Broken Crypto in Salesforce MCE Enables Web Services Protocol Manipulation Use of a Broken or Risky Cryptographic Algorithm vulnerability in Salesforce Marketing Cloud Engagement (CloudPages, Forward to a Friend, Profile Center, Subscription Center, Unsub Center, View As Webpage modules) allows Web Services Protocol Manipulation. This issue affects Marketing Cloud Engagement: before January 21st, 2026.
CVE-2026-22584 Jan 09, 2026
Uni2TS 1.2.0 Code Injection via Non-Executable Files on macOS, Windows, Linux Improper Control of Generation of Code ('Code Injection') vulnerability in Salesforce Uni2TS on MacOS, Windows, Linux allows Leverage Executable Code in Non-Executable Files.This issue affects Uni2TS: through 1.2.0.
Uni2ts
CVE-2025-64322 Nov 04, 2025
Salesforce Agentforce Vibes <=3.1: Writeable Config Files Perm Issue Incorrect Permission Assignment for Critical Resource vulnerability in Salesforce Agentforce Vibes Extension allows Manipulating Writeable Configuration Files.This issue affects Agentforce Vibes Extension: before 3.3.0.
Agentforce Vibes Extension
CVE-2025-64321 Nov 04, 2025
LLM Prompt Injection via Config Hijack in Agentforce Vibes Ext. <3.2.0 Improper Neutralization of Input Used for LLM Prompting vulnerability in Salesforce Agentforce Vibes Extension allows Manipulating Writeable Configuration Files.This issue affects Agentforce Vibes Extension: before 3.3.0.
Agentforce Vibes Extension
CVE-2025-64320 Nov 04, 2025
Agentforce Vibes Extension <3.2.0 LLM Prompt Code Injection (CVE-2025-64320) Improper Neutralization of Input Used for LLM Prompting vulnerability in Salesforce Agentforce Vibes Extension allows Code Injection.This issue affects Agentforce Vibes Extension: before 3.2.0.
Agentforce Vibes Extension
CVE-2025-64319 Nov 04, 2025
Anypoint CB 1.11.6: Permission Issue (CVE-2025-64319) Incorrect Permission Assignment for Critical Resource vulnerability in Salesforce Mulesoft Anypoint Code Builder allows Manipulating Writeable Configuration Files.This issue affects Mulesoft Anypoint Code Builder: before 1.12.1
Mulesoft Anypoint Code Builder
CVE-2025-64318 Nov 04, 2025
Mulesoft Anypoint CB <1.11.6 Config File Write via LLM Prompt Improper Neutralization of Input Used for LLM Prompting vulnerability in Salesforce Mulesoft Anypoint Code Builder allows Manipulating Writeable Configuration Files.This issue affects Mulesoft Anypoint Code Builder: before 1.12.1.
Mulesoft Anypoint Code Builder
CVE-2025-10875 Nov 04, 2025
Mulesoft Anypoint Code Builder <1.11.6 Improper LLM Prompt Injection Improper Neutralization of Input Used for LLM Prompting vulnerability in Salesforce Mulesoft Anypoint Code Builder allows Code Injection.This issue affects Mulesoft Anypoint Code Builder: before 1.11.6.
Mulesoft Anypoint Code Builder
CVE-2025-9844 Sep 23, 2025
Uncontrolled Search Path Element in Salesforce CLI before 2.106.6 (Windows) Uncontrolled Search Path Element vulnerability in Salesforce Salesforce CLI on Windows allows Replace Trusted Executable.This issue affects Salesforce CLI: before 2.106.6.
Salesforce Cli
CVE-2025-52454 Jul 25, 2025
SSRF in Tableau Server <2025.1.3 (Amazon S3 Connector) Server-Side Request Forgery (SSRF) vulnerability in Salesforce Tableau Server on Windows, Linux (Amazon S3 Connector modules) allows Resource Location Spoofing. This issue affects Tableau Server: before 2025.1.3, before 2024.2.12, before 2023.3.19.
CVE-2023-26136 Jul 01, 2023
tough-cookie <4.1.3 Prototype Pollution via CookieJar rejectPublicSuffixes=false Versions of the package tough-cookie before 4.1.3 are vulnerable to Prototype Pollution due to improper handling of Cookies when using CookieJar in rejectPublicSuffixes=false mode. This issue arises from the manner in which the objects are initialized.
Tough Cookie
CVE-2016-15012 Jan 07, 2023
Salesforce Mobile SDK Windows <=4.x SQLi (fixed 5.0.0) ** UNSUPPORTED WHEN ASSIGNED ** A vulnerability was found in forcedotcom SalesforceMobileSDK-Windows up to 4.x. It has been rated as critical. This issue affects the function ComputeCountSql of the file SalesforceSDK/SmartStore/Store/QuerySpec.cs. The manipulation leads to sql injection. Upgrading to version 5.0.0 is able to address this issue. The patch is named 83b3e91e0c1e84873a6d3ca3c5887eb5b4f5a3d8. It is recommended to upgrade the affected component. The associated identifier of this vulnerability is VDB-217619. NOTE: This vulnerability only affects products that are no longer supported by the maintainer.
Mobile Software Development Kit
CVE-2021-1630 Aug 05, 2021
XML external entity (XXE) vulnerability affecting certain versions of a Mule runtime component XML external entity (XXE) vulnerability affecting certain versions of a Mule runtime component that may affect CloudHub, GovCloud, Runtime Fabric, Pivotal Cloud Foundry, Private Cloud Edition, and on-premise customers.
Mule
CVE-2021-1628 Mar 26, 2021
MuleSoft is aware of a XML External Entity (XXE) vulnerability affecting certain versions of a Mule runtime component MuleSoft is aware of a XML External Entity (XXE) vulnerability affecting certain versions of a Mule runtime component that may affect both CloudHub and on-premise customers. Affected versions: Mule 4.x runtime released before February 2, 2021.
Mule
CVE-2021-1627 Mar 26, 2021
MuleSoft is aware of a Server Side Request Forgery vulnerability affecting certain versions of a Mule runtime component MuleSoft is aware of a Server Side Request Forgery vulnerability affecting certain versions of a Mule runtime component that may affect both CloudHub and on-premise customers. This affects: Mule 3.8.x,3.9.x,4.x runtime released before February 2, 2021.
Mule
CVE-2021-1626 Mar 26, 2021
MuleSoft is aware of a Remote Code Execution vulnerability affecting certain versions of a Mule runtime component MuleSoft is aware of a Remote Code Execution vulnerability affecting certain versions of a Mule runtime component that may affect both CloudHub and on-premise customers. Versions affected: Mule 4.1.x and 4.2.x runtime released before February 2, 2021.
Mule
Built by Foundeo Inc., with data from the National Vulnerability Database (NVD). Privacy Policy. Use of this site is governed by the Legal Terms
Disclaimer
CONTENT ON THIS WEBSITE IS PROVIDED ON AN "AS IS" BASIS AND DOES NOT IMPLY ANY KIND OF GUARANTEE OR WARRANTY, INCLUDING THE WARRANTIES OF MERCHANTABILITY OR FITNESS FOR A PARTICULAR USE. YOUR USE OF THE INFORMATION ON THE DOCUMENT OR MATERIALS LINKED FROM THE DOCUMENT IS AT YOUR OWN RISK. Always check with your vendor for the most up to date, and accurate information.