CVE-2026-35178 Salesforce — Exploit & Vulnerability Details CRITICAL

CVE-2026-35178

CRITICAL CVSS 4.0: 9.3 EPSS 0.31%

Parameter	Value
CVSS	9.3 (CRITICAL)
Fixed In	65.0.0
Type	CWE-94 (Code Injection)
Vendor	Salesforce
Public PoC	No

Workbench is a suite of tools for administrators and developers to interact with Salesforce.com organizations via the Force.com APIs. Prior to 65.0.0, Workbench contains remote code execution vulnerability in the timezone conversion flow, which processes attacker-controlled cookie values in an unsafe manner. This vulnerability is fixed in 65.0.0.

Attack Parameters

Attack Vector

Network

Can be exploited remotely

Attack Complexity

Low

Easy to exploit

Attack Requirements

None

No additional conditions

Privileges Required

None

No privileges needed

User Interaction

Passive

Minimal interaction

Impact Assessment

Confidentiality

High

Complete data leak

Integrity

High

Complete data modification

Availability

None

No disruption

CVSS Vector v4.0

Weakness Type (CWE)

CWE-94 Code Injection

References 2

https://github.com/forceworkbench/forceworkbench/pull/869

security-advisories@github.com

https://github.com/forceworkbench/forceworkbench/security/advisories/GHSA-jw63-…

security-advisories@github.com

Share Post Share Share Share

Related Vulnerabilities

CVE-2026-34951

Salesforce

5.1

CVE-2026-2298

Salesforce

9.4

CVE-2026-26029

Salesforce

7.5

CVE-2026-25650

Salesforce

6.6

CVE-2026-22586

Salesforce

None

Menu

CVE-2026-35178

Attack Parameters

Impact Assessment

CVSS Vector v4.0

Weakness Type (CWE)

References 2

Related Vulnerabilities

CVE-2026-34951

CVE-2026-2298

CVE-2026-26029

CVE-2026-25650

CVE-2026-22586

CVE Details

Editor's Choice

Menu

CVE-2026-35178

Attack Parameters

Impact Assessment

CVSS Vector v4.0

Weakness Type (CWE)

References 2

Related Vulnerabilities

CVE-2026-34951

CVE-2026-2298

CVE-2026-26029

CVE-2026-25650

CVE-2026-22586

CVE Details

Editor's Choice

Stay informed on cybersecurity