VYPR

Vendor CVEs

Salesforce

All CVEs

29 total · sorted by risk
  • CVE-2026-22586CriJan 24, 2026
    risk 0.64cvss 9.8epss 0.01

    Hard-coded Cryptographic Key vulnerability in Salesforce Marketing Cloud Engagement (CloudPages, Forward to a Friend, Profile Center, Subscription Center, Unsub Center, View As Webpage modules) allows Web Services Protocol Manipulation. This issue affects Marketing Cloud…

  • CVE-2025-43698CriJun 10, 2025
    risk 0.59cvss 9.1epss 0.00

    Improper Preservation of Permissions vulnerability in Salesforce OmniStudio (FlexCards) allows bypass of field level security controls for Salesforce objects. This impacts OmniStudio: before Spring 2025

  • CVE-2026-35178CriApr 6, 2026
    risk 0.57cvss 9.8epss 0.00

    Workbench is a suite of tools for administrators and developers to interact with Salesforce.com organizations via the Force.com APIs. Prior to 65.0.0, Workbench contains remote code execution vulnerability in the timezone conversion flow, which processes attacker-controlled…

  • CVE-2025-9844HigSep 23, 2025
    risk 0.57cvss 8.8epss 0.00

    Uncontrolled Search Path Element vulnerability in Salesforce Salesforce CLI on Windows allows Replace Trusted Executable.This issue affects Salesforce CLI: before 2.106.6.

  • CVE-2025-43701HigJun 10, 2025
    risk 0.49cvss 7.5epss 0.00

    Improper Preservation of Permissions vulnerability in Salesforce OmniStudio (FlexCards) allows exposure of Custom Settings data.  This impacts OmniStudio: before version 254.

  • CVE-2025-43700HigJun 10, 2025
    risk 0.49cvss 7.5epss 0.00

    Improper Preservation of Permissions vulnerability in Salesforce OmniStudio (FlexCards) allows exposure of encrypted data.  This impacts OmniStudio: before Spring 2025.

  • CVE-2025-43697HigJun 10, 2025
    risk 0.49cvss 7.5epss 0.00

    Improper Preservation of Permissions vulnerability in Salesforce OmniStudio (DataMapper) allows exposure of encrypted data. This impacts OmniStudio: before Spring 2025

  • CVE-2017-15010HigOct 4, 2017
    risk 0.42cvss 7.5epss 0.03

    A ReDoS (regular expression denial of service) flaw was found in the tough-cookie module before 2.3.3 for Node.js. An attacker that is able to make an HTTP request using a specially crafted cookie may cause the application to consume an excessive amount of CPU.

  • CVE-2025-43699MedJun 10, 2025
    risk 0.34cvss 5.3epss 0.00

    Client-Side Enforcement of Server-Side Security vulnerability in Salesforce OmniStudio (FlexCards) allows bypass of required permission check.  This impacts OmniStudio: before Spring 2025

  • CVE-2026-34951MedApr 6, 2026
    risk 0.33cvss 6.1epss 0.00

    Workbench is a suite of tools for administrators and developers to interact with Salesforce.com organizations via the Force.com APIs. Prior to 65.0.0, Workbench contains a reflected cross-site scripting vulnerability via the footerScripts parameter, which does not sanitize…

  • CVE-2020-12011Jul 16, 2020
    risk 0.01cvss epss 0.29

    A specially crafted communication packet sent to the affected systems could cause a denial-of-service condition or allow remote code execution. This issue affects: Mitsubishi Electric MC Works64 version 4.02C (10.95.208.31) and earlier, all versions; MC Works32 version 3.00A…

  • CVE-2026-2298Mar 23, 2026
    risk 0.00cvss epss 0.00

    Improper Neutralization of Argument Delimiters in a Command ('Argument Injection') vulnerability in Salesforce Marketing Cloud Engagement allows Web Services Protocol Manipulation. This issue affects Marketing Cloud Engagement: before January 30th, 2026.

  • CVE-2026-22583Jan 24, 2026
    risk 0.00cvss epss 0.01

    Improper Neutralization of Argument Delimiters in a Command ('Argument Injection') vulnerability in Salesforce Marketing Cloud Engagement (CloudPagesUrl module) allows Web Services Protocol Manipulation. This issue affects Marketing Cloud Engagement: before January 21st, 2026.

  • CVE-2026-22582Jan 24, 2026
    risk 0.00cvss epss 0.01

    Improper Neutralization of Argument Delimiters in a Command ('Argument Injection') vulnerability in Salesforce Marketing Cloud Engagement (MicrositeUrl module) allows Web Services Protocol Manipulation. This issue affects Marketing Cloud Engagement: before January 21st, 2026.

  • CVE-2026-22585Jan 24, 2026
    risk 0.00cvss epss 0.00

    Use of a Broken or Risky Cryptographic Algorithm vulnerability in Salesforce Marketing Cloud Engagement (CloudPages, Forward to a Friend, Profile Center, Subscription Center, Unsub Center, View As Webpage modules) allows Web Services Protocol Manipulation. This issue affects…

  • CVE-2026-22584Jan 9, 2026
    risk 0.00cvss epss 0.00

    Improper Control of Generation of Code ('Code Injection') vulnerability in Salesforce Uni2TS on MacOS, Windows, Linux allows Leverage Executable Code in Non-Executable Files.This issue affects Uni2TS: through 1.2.0.

  • CVE-2025-64322Nov 4, 2025
    risk 0.00cvss epss 0.00

    Incorrect Permission Assignment for Critical Resource vulnerability in Salesforce Agentforce Vibes Extension allows Manipulating Writeable Configuration Files.This issue affects Agentforce Vibes Extension: before 3.3.0.

  • CVE-2025-64321Nov 4, 2025
    risk 0.00cvss epss 0.00

    Improper Neutralization of Input Used for LLM Prompting vulnerability in Salesforce Agentforce Vibes Extension allows Manipulating Writeable Configuration Files.This issue affects Agentforce Vibes Extension: before 3.3.0.

  • CVE-2025-64320Nov 4, 2025
    risk 0.00cvss epss 0.00

    Improper Neutralization of Input Used for LLM Prompting vulnerability in Salesforce Agentforce Vibes Extension allows Code Injection.This issue affects Agentforce Vibes Extension: before 3.2.0.

  • CVE-2025-64319Nov 4, 2025
    risk 0.00cvss epss 0.00

    Incorrect Permission Assignment for Critical Resource vulnerability in Salesforce Mulesoft Anypoint Code Builder allows Manipulating Writeable Configuration Files.This issue affects Mulesoft Anypoint Code Builder: before 1.12.1

  • CVE-2025-64318Nov 4, 2025
    risk 0.00cvss epss 0.00

    Improper Neutralization of Input Used for LLM Prompting vulnerability in Salesforce Mulesoft Anypoint Code Builder allows Manipulating Writeable Configuration Files.This issue affects Mulesoft Anypoint Code Builder: before 1.12.1.

  • CVE-2025-10875Nov 4, 2025
    risk 0.00cvss epss 0.00

    Improper Neutralization of Input Used for LLM Prompting vulnerability in Salesforce Mulesoft Anypoint Code Builder allows Code Injection.This issue affects Mulesoft Anypoint Code Builder: before 1.11.6.

  • CVE-2022-22128Oct 17, 2022
    risk 0.00cvss epss 0.01

    Tableau discovered a path traversal vulnerability affecting Tableau Server Administration Agent’s internal file transfer service that could allow remote code execution.Tableau only supports product versions for 24 months after release. Older versions have reached their End of…

  • CVE-2021-1630Aug 5, 2021
    risk 0.00cvss epss 0.01

    XML external entity (XXE) vulnerability affecting certain versions of a Mule runtime component that may affect CloudHub, GovCloud, Runtime Fabric, Pivotal Cloud Foundry, Private Cloud Edition, and on-premise customers.

  • CVE-2021-1628Mar 26, 2021
    risk 0.00cvss epss 0.01

    MuleSoft is aware of a XML External Entity (XXE) vulnerability affecting certain versions of a Mule runtime component that may affect both CloudHub and on-premise customers. Affected versions: Mule 4.x runtime released before February 2, 2021.

  • CVE-2021-1627Mar 26, 2021
    risk 0.00cvss epss 0.01

    MuleSoft is aware of a Server Side Request Forgery vulnerability affecting certain versions of a Mule runtime component that may affect both CloudHub and on-premise customers. This affects: Mule 3.8.x,3.9.x,4.x runtime released before February 2, 2021.

  • CVE-2020-12015Jul 16, 2020
    risk 0.00cvss epss 0.02

    A specially crafted communication packet sent to the affected systems could cause a denial-of-service condition due to improper deserialization. This issue affects: Mitsubishi Electric MC Works64 version 4.02C (10.95.208.31) and earlier, all versions; Mitsubishi Electric MC…

  • CVE-2020-6937May 29, 2020
    risk 0.00cvss epss 0.01

    A Denial of Service vulnerability in MuleSoft Mule CE/EE 3.8.x, 3.9.x, and 4.x released before April 7, 2020, could allow remote attackers to submit data which can lead to resource exhaustion.

  • CVE-2019-15631Dec 2, 2019
    risk 0.00cvss epss 0.02

    Remote Code Execution vulnerability in MuleSoft Mule CE/EE 3.x and API Gateway 2.x released before October 31, 2019 allows remote attackers to execute arbitrary code.