This vulnerability (CWE-88) in Salesforce Marketing Cloud Engagement allows an attacker to manipulate web services protocol commands by injecting argument delimiters improperly neutralized by the system. This can lead to unauthorized command execution affecting confidentiality and integrity of the service. The issue affects all versions before January 30th, 2026. The product is cloud-hosted, and Salesforce manages remediation for this service. The CVSS 3.1 base score is 9.4 (AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:L), reflecting network attack vector, low attack complexity, no privileges or user interaction required, and high confidentiality and integrity impact with low availability impact.

Successful exploitation could allow remote attackers to execute unauthorized commands via web services protocol manipulation, potentially compromising sensitive data and system integrity. Availability impact is low. No known exploits are reported in the wild currently.

A patch is available for this vulnerability. Since Marketing Cloud Engagement is a cloud service, Salesforce manages the remediation on their side. Users should verify with Salesforce's official advisory and ensure their environment is updated to the fixed version released after January 30th, 2026. No additional user action is required beyond confirming the patch application status with the vendor.