CVE-2026-35178

Workbench is a suite of tools for administrators and developers to interact with Salesforce.com organizations via the Force.com APIs. Prior to 65.0.0, Workbench contains remote code execution vulnerability in the timezone conversion flow, which processes attacker-controlled cookie values in an unsafe manner. This vulnerability is fixed in 65.0.0.

CVSS v3 9.8 CRITICAL

9.8^/10

CVSS v3 : CRITICAL

Vector :

Exploitability : 3.9 / Impact : 5.9

Attack Vector NETWORK

Attack Complexity LOW

Privileges Required NONE

User Interaction NONE

Confidentiality Impact HIGH

Integrity Impact HIGH

Availability Impact HIGH

Scope UNCHANGED

References

Link	Resource
https://github.com/forceworkbench/forceworkbench/pull/869	Issue Tracking Vendor Advisory
https://github.com/forceworkbench/forceworkbench/security/advisories/GHSA-jw63-m86r-2jxc	Vendor Advisory

Configurations

Configuration 1 (hide)

cpe:2.3:a:forceworkbench:forceworkbench:*:*:*:*:*:*:*:*

History

16 Apr 2026, 04:10

Type	Values Removed	Values Added
CPE		cpe:2.3:a:forceworkbench:forceworkbench::::::::
First Time		Forceworkbench Forceworkbench forceworkbench
CVSS	v2 : ~~unknown~~ v3 : ~~unknown~~	v2 : unknown v3 : 9.8
References	~~() https://github.com/forceworkbench/forceworkbench/pull/869 -~~	() https://github.com/forceworkbench/forceworkbench/pull/869 - Issue Tracking, Vendor Advisory
References	~~() https://github.com/forceworkbench/forceworkbench/security/advisories/GHSA-jw63-m86r-2jxc -~~	() https://github.com/forceworkbench/forceworkbench/security/advisories/GHSA-jw63-m86r-2jxc - Vendor Advisory

06 Apr 2026, 20:16

Type	Values Removed	Values Added
New CVE

Information

Published : 2026-04-06 20:16

Updated : 2026-04-16 04:10

NVD link : CVE-2026-35178

Mitre link : CVE-2026-35178

CVE.ORG link : CVE-2026-35178

JSON object : View

Products Affected

forceworkbench

forceworkbench

CWE

CWE-94

Improper Control of Generation of Code ('Code Injection')

{"id": "CVE-2026-35178", "cveTags": [], "metrics": {"cvssMetricV31": [{"type": "Primary", "source": "nvd@nist.gov", "cvssData": {"scope": "UNCHANGED", "version": "3.1", "baseScore": 9.8, "attackVector": "NETWORK", "baseSeverity": "CRITICAL", "vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H", "integrityImpact": "HIGH", "userInteraction": "NONE", "attackComplexity": "LOW", "availabilityImpact": "HIGH", "privilegesRequired": "NONE", "confidentialityImpact": "HIGH"}, "impactScore": 5.9, "exploitabilityScore": 3.9}], "cvssMetricV40": [{"type": "Secondary", "source": "security-advisories@github.com", "cvssData": {"Safety": "NOT_DEFINED", "version": "4.0", "Recovery": "NOT_DEFINED", "baseScore": 9.3, "Automatable": "NOT_DEFINED", "attackVector": "NETWORK", "baseSeverity": "CRITICAL", "valueDensity": "NOT_DEFINED", "vectorString": "CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:P/VC:H/VI:H/VA:N/SC:H/SI:H/SA:N/E:X/CR:X/IR:X/AR:X/MAV:X/MAC:X/MAT:X/MPR:X/MUI:X/MVC:X/MVI:X/MVA:X/MSC:X/MSI:X/MSA:X/S:X/AU:X/R:X/V:X/RE:X/U:X", "exploitMaturity": "NOT_DEFINED", "providerUrgency": "NOT_DEFINED", "userInteraction": "PASSIVE", "attackComplexity": "LOW", "attackRequirements": "NONE", "privilegesRequired": "NONE", "subIntegrityImpact": "HIGH", "vulnIntegrityImpact": "HIGH", "integrityRequirement": "NOT_DEFINED", "modifiedAttackVector": "NOT_DEFINED", "subAvailabilityImpact": "NONE", "vulnAvailabilityImpact": "NONE", "availabilityRequirement": "NOT_DEFINED", "modifiedUserInteraction": "NOT_DEFINED", "modifiedAttackComplexity": "NOT_DEFINED", "subConfidentialityImpact": "HIGH", "vulnConfidentialityImpact": "HIGH", "confidentialityRequirement": "NOT_DEFINED", "modifiedAttackRequirements": "NOT_DEFINED", "modifiedPrivilegesRequired": "NOT_DEFINED", "modifiedSubIntegrityImpact": "NOT_DEFINED", "modifiedVulnIntegrityImpact": "NOT_DEFINED", "vulnerabilityResponseEffort": "NOT_DEFINED", "modifiedSubAvailabilityImpact": "NOT_DEFINED", "modifiedVulnAvailabilityImpact": "NOT_DEFINED", "modifiedSubConfidentialityImpact": "NOT_DEFINED", "modifiedVulnConfidentialityImpact": "NOT_DEFINED"}}]}, "published": "2026-04-06T20:16:25.927", "references": [{"url": "https://github.com/forceworkbench/forceworkbench/pull/869", "tags": ["Issue Tracking", "Vendor Advisory"], "source": "security-advisories@github.com"}, {"url": "https://github.com/forceworkbench/forceworkbench/security/advisories/GHSA-jw63-m86r-2jxc", "tags": ["Vendor Advisory"], "source": "security-advisories@github.com"}], "vulnStatus": "Analyzed", "weaknesses": [{"type": "Primary", "source": "security-advisories@github.com", "description": [{"lang": "en", "value": "CWE-94"}]}], "descriptions": [{"lang": "en", "value": "Workbench is a suite of tools for administrators and developers to interact with Salesforce.com organizations via the Force.com APIs. Prior to 65.0.0, Workbench contains remote code execution vulnerability in the timezone conversion flow, which processes attacker-controlled cookie values in an unsafe manner. This vulnerability is fixed in 65.0.0."}], "lastModified": "2026-04-16T04:10:58.520", "configurations": [{"nodes": [{"negate": false, "cpeMatch": [{"criteria": "cpe:2.3:a:forceworkbench:forceworkbench:*:*:*:*:*:*:*:*", "vulnerable": true, "matchCriteriaId": "5BFF91E5-0AA4-4AAC-8D08-F13C32C71042", "versionEndExcluding": "65.0.0"}], "operator": "OR"}]}], "sourceIdentifier": "security-advisories@github.com"}