CVE-2026-35178

Source
https://cve.org/CVERecord?id=CVE-2026-35178
Import Source
https://storage.googleapis.com/cve-osv-conversion/osv-output/CVE-2026-35178.json
JSON Data
https://api.osv.dev/v1/vulns/CVE-2026-35178
Aliases
  • GHSA-jw63-m86r-2jxc
Published
2026-04-06T19:01:21.742Z
Modified
2026-07-15T01:48:51.929181878Z
Severity
  • 9.3 (Critical) CVSS_V4 - CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:P/VC:H/VI:H/VA:N/SC:H/SI:H/SA:N CVSS Calculator
Summary
Workbench Affected by Remote Code Execution (RCE) via Malicious Cookie in Timezone Conversion
Details

Workbench is a suite of tools for administrators and developers to interact with Salesforce.com organizations via the Force.com APIs. Prior to 65.0.0, Workbench contains remote code execution vulnerability in the timezone conversion flow, which processes attacker-controlled cookie values in an unsafe manner. This vulnerability is fixed in 65.0.0.

Database specific
{
    "cwe_ids": [
        "CWE-94"
    ],
    "osv_generated_from": "https://github.com/CVEProject/cvelistV5/tree/main/cves/2026/35xxx/CVE-2026-35178.json",
    "cna_assigner": "GitHub_M"
}
References

Affected packages

Git / github.com/forceworkbench/forceworkbench

Affected ranges

Type
GIT
Repo
https://github.com/forceworkbench/forceworkbench
Events
Introduced
0 Unknown introduced commit / All previous commits are affected
Fixed
Database specific
{
    "cpe": "cpe:2.3:a:forceworkbench:forceworkbench:*:*:*:*:*:*:*:*",
    "extracted_events": [
        {
            "introduced": "0"
        },
        {
            "fixed": "65.0.0"
        }
    ],
    "source": [
        "AFFECTED_FIELD",
        "CPE_RANGE"
    ]
}

Affected versions

23.*
23.0.0
24.*
24.0.0
25.*
25.0.0
25.0.0-Beta-1
25.0.1
25.0.2
26.*
26.0.0
26.0.1
27.*
27.0.0
27.0.1
27.0.2
27.0.3
27.0.4
27.0.5
27.0.6
27.0.7
27.0.8
27.0.9
28.*
28.0.0
28.0.1
28.0.2
29.*
29.0.0
29.0.1
29.0.2
29.0.3
29.0.4
29.0.4-Beta-1
29.0.4-Beta-2
29.0.4-Beta-3
29.0.4-Beta-4
29.0.4-Beta-5
29.0.4-Beta-6
29.0.5
29.0.6
29.0.7
29.0.8
29.0.9
34.*
34.0.0
34.0.1
34.0.12
34.0.13
34.0.2
34.0.3
34.0.4
34.0.5
34.0.6
34.0.7
34.0.8
34.0.9
35.*
35.0.0
36.*
36.0.0
36.0.1
36.0.2
36.0.3
36.0.4
36.0.5
36.0.6
36.0.7
37.*
37.0.0
37.0.1
37.0.2
39.*
39.0.0
40.*
40.0.0
41.*
41.0.0
41.0.1
42.*
42.0.0
43.*
43.0.0
45.*
45.0.0
45.0.1
46.*
46.0.0
47.*
47.0.0
48.*
48.0.0
49.*
49.0.0
50.*
50.0.0
51.*
51.0.0
52.*
52.0.0
53.*
53.0.0

Database specific

source
"https://storage.googleapis.com/cve-osv-conversion/osv-output/CVE-2026-35178.json"