Salesforce Marketing Cloud Vulnerabilities Expose Cross-Tenant Subscriber Data Risks

**Executive summary:** A set of critical vulnerabilities in Salesforce Marketing Cloud (SFMC) — including AMPScript template injection, an unauthenticated CBC padding-oracle in the CloudPages "qs" parameter, and a weak legacy XOR-based URL format — could have allowed attackers to execute template payloads, forge cross-tenant QS tokens, and enumerate or exfiltrate subscriber records and sent email content across multiple tenants; Salesforce assigned multiple CVEs and implemented mitigations (migrated to AES-GCM, rotated keys, disabled double evaluation, and invalidated legacy links) between 21–24 January 2026, with no confirmed exploitation reported at disclosure.