salesforce CVE Vulnerabilities & Metrics

Focus on salesforce vulnerabilities and metrics.

Last updated: 15 Feb 2026, 23:25 UTC

About salesforce Security Exposure

This page consolidates all known Common Vulnerabilities and Exposures (CVEs) associated with salesforce. We track both calendar-based metrics (using fixed periods) and rolling metrics (using gliding windows) to give you a comprehensive view of security trends and risk evolution. Use these insights to assess risk and plan your patching strategy.

For a broader perspective on cybersecurity threats, explore the comprehensive list of CVEs by vendor and product. Stay updated on critical vulnerabilities affecting major software and hardware providers.

Global CVE Overview

Total salesforce CVEs: 11
Earliest CVE date: 04 Oct 2017, 01:29 UTC
Latest CVE date: 04 Nov 2025, 19:17 UTC

Latest CVE reference: CVE-2025-64322

Rolling Stats

30-day Count (Rolling): 0
365-day Count (Rolling): 3

Calendar-based Variation

Calendar-based Variation compares a fixed calendar period (e.g., this month versus the same month last year), while Rolling Growth Rate uses a continuous window (e.g., last 30 days versus the previous 30 days) to capture trends independent of calendar boundaries.

Variations & Growth

Month Variation (Calendar): 0%
Year Variation (Calendar): 0%

Month Growth Rate (30-day Rolling): 0.0%
Year Growth Rate (365-day Rolling): 0.0%

Monthly CVE Trends (current vs previous Year)

Annual CVE Trends (Last 20 Years)

Critical salesforce CVEs (CVSS ≥ 9) Over 20 Years

CVSS Stats

Average CVSS: 3.88

Max CVSS: 7.5

Critical CVEs (≥9): 0

CVSS Range vs. Count

Range	Count
0.0-3.9	4
4.0-6.9	4
7.0-8.9	3
9.0-10.0	0

CVSS Distribution Chart

Top 5 Highest CVSS salesforce CVEs

These are the five CVEs with the highest CVSS scores for salesforce, sorted by severity first and recency.

CVE-2021-1628 salesforce Published on 26 Mar 2021, 17:15 UTC (CVSS: 7.5)
MuleSoft is aware of a XML External Entity (XXE) vulnerability affecting certain versions of a Mule runtime component that may affect both CloudHub and on-premise customers. Affected versions: Mule 4.x runtime released before February 2, 2021.
CVE-2021-1627 salesforce Published on 26 Mar 2021, 17:15 UTC (CVSS: 7.5)
MuleSoft is aware of a Server Side Request Forgery vulnerability affecting certain versions of a Mule runtime component that may affect both CloudHub and on-premise customers. This affects: Mule 3.8.x,3.9.x,4.x runtime released before February 2, 2021.
CVE-2021-1626 salesforce Published on 26 Mar 2021, 17:15 UTC (CVSS: 7.5)
MuleSoft is aware of a Remote Code Execution vulnerability affecting certain versions of a Mule runtime component that may affect both CloudHub and on-premise customers. Versions affected: Mule 4.1.x and 4.2.x runtime released before February 2, 2021.
CVE-2016-15012 salesforce Published on 07 Jan 2023, 13:15 UTC (CVSS: 5.2)
** UNSUPPORTED WHEN ASSIGNED ** A vulnerability was found in forcedotcom SalesforceMobileSDK-Windows up to 4.x. It has been rated as critical. This issue affects the function ComputeCountSql of the file SalesforceSDK/SmartStore/Store/QuerySpec.cs. The manipulation leads to sql injection. Upgrading to version 5.0.0 is able to address this issue. The patch is named 83b3e91e0c1e84873a6d3ca3c5887eb...
CVE-2021-1630 salesforce Published on 05 Aug 2021, 21:15 UTC (CVSS: 5.0)
XML external entity (XXE) vulnerability affecting certain versions of a Mule runtime component that may affect CloudHub, GovCloud, Runtime Fabric, Pivotal Cloud Foundry, Private Cloud Edition, and on-premise customers.

All CVEs for salesforce

CVE-2025-64322 salesforce vulnerability CVSS: 0 04 Nov 2025, 19:17 UTC

Incorrect Permission Assignment for Critical Resource vulnerability in Salesforce Agentforce Vibes Extension allows Manipulating Writeable Configuration Files.This issue affects Agentforce Vibes Extension: before 3.3.0.

CVE-2025-64321 salesforce vulnerability CVSS: 0 04 Nov 2025, 19:17 UTC

Improper Neutralization of Input Used for LLM Prompting vulnerability in Salesforce Agentforce Vibes Extension allows Manipulating Writeable Configuration Files.This issue affects Agentforce Vibes Extension: before 3.3.0.

CVE-2025-64320 salesforce vulnerability CVSS: 0 04 Nov 2025, 19:17 UTC

Improper Neutralization of Input Used for LLM Prompting vulnerability in Salesforce Agentforce Vibes Extension allows Code Injection.This issue affects Agentforce Vibes Extension: before 3.2.0.

CVE-2023-26136 salesforce vulnerability CVSS: 0 01 Jul 2023, 05:15 UTC

Versions of the package tough-cookie before 4.1.3 are vulnerable to Prototype Pollution due to improper handling of Cookies when using CookieJar in rejectPublicSuffixes=false mode. This issue arises from the manner in which the objects are initialized.

CVE-2016-15012 salesforce vulnerability CVSS: 5.2 07 Jan 2023, 13:15 UTC

** UNSUPPORTED WHEN ASSIGNED ** A vulnerability was found in forcedotcom SalesforceMobileSDK-Windows up to 4.x. It has been rated as critical. This issue affects the function ComputeCountSql of the file SalesforceSDK/SmartStore/Store/QuerySpec.cs. The manipulation leads to sql injection. Upgrading to version 5.0.0 is able to address this issue. The patch is named 83b3e91e0c1e84873a6d3ca3c5887eb5b4f5a3d8. It is recommended to upgrade the affected component. The associated identifier of this vulnerability is VDB-217619. NOTE: This vulnerability only affects products that are no longer supported by the maintainer.

CVE-2021-1630 salesforce vulnerability CVSS: 5.0 05 Aug 2021, 21:15 UTC

XML external entity (XXE) vulnerability affecting certain versions of a Mule runtime component that may affect CloudHub, GovCloud, Runtime Fabric, Pivotal Cloud Foundry, Private Cloud Edition, and on-premise customers.

CVE-2021-1628 salesforce vulnerability CVSS: 7.5 26 Mar 2021, 17:15 UTC

MuleSoft is aware of a XML External Entity (XXE) vulnerability affecting certain versions of a Mule runtime component that may affect both CloudHub and on-premise customers. Affected versions: Mule 4.x runtime released before February 2, 2021.

CVE-2021-1627 salesforce vulnerability CVSS: 7.5 26 Mar 2021, 17:15 UTC

MuleSoft is aware of a Server Side Request Forgery vulnerability affecting certain versions of a Mule runtime component that may affect both CloudHub and on-premise customers. This affects: Mule 3.8.x,3.9.x,4.x runtime released before February 2, 2021.

CVE-2021-1626 salesforce vulnerability CVSS: 7.5 26 Mar 2021, 17:15 UTC

MuleSoft is aware of a Remote Code Execution vulnerability affecting certain versions of a Mule runtime component that may affect both CloudHub and on-premise customers. Versions affected: Mule 4.1.x and 4.2.x runtime released before February 2, 2021.

CVE-2016-1000232 salesforce vulnerability CVSS: 5.0 05 Sep 2018, 17:29 UTC

NodeJS Tough-Cookie version 2.2.2 contains a Regular Expression Parsing vulnerability in HTTP request Cookie Header parsing that can result in Denial of Service. This attack appear to be exploitable via Custom HTTP header passed by client. This vulnerability appears to have been fixed in 2.3.0.

CVE-2017-15010 salesforce vulnerability CVSS: 5.0 04 Oct 2017, 01:29 UTC

A ReDoS (regular expression denial of service) flaw was found in the tough-cookie module before 2.3.3 for Node.js. An attacker that is able to make an HTTP request using a specially crafted cookie may cause the application to consume an excessive amount of CPU.