{"dataType": "CVE_RECORD", "dataVersion": "5.2", "cveMetadata": {"cveId": "CVE-2026-35178", "assignerOrgId": "a0819718-46f1-4df5-94e2-005712e83aaa", "state": "PUBLISHED", "assignerShortName": "GitHub_M", "dateReserved": "2026-04-01T17:26:21.133Z", "datePublished": "2026-04-06T19:01:21.742Z", "dateUpdated": "2026-04-07T14:04:48.145Z"}, "containers": {"cna": {"title": "Workbench Affected by Remote Code Execution (RCE) via Malicious Cookie in Timezone Conversion", "problemTypes": [{"descriptions": [{"cweId": "CWE-94", "lang": "en", "description": "CWE-94: Improper Control of Generation of Code ('Code Injection')", "type": "CWE"}]}], "metrics": [{"cvssV4_0": {"attackVector": "NETWORK", "attackComplexity": "LOW", "attackRequirements": "NONE", "privilegesRequired": "NONE", "userInteraction": "PASSIVE", "vulnConfidentialityImpact": "HIGH", "vulnIntegrityImpact": "HIGH", "vulnAvailabilityImpact": "NONE", "subConfidentialityImpact": "HIGH", "subIntegrityImpact": "HIGH", "subAvailabilityImpact": "NONE", "baseScore": 9.3, "baseSeverity": "CRITICAL", "vectorString": "CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:P/VC:H/VI:H/VA:N/SC:H/SI:H/SA:N", "version": "4.0"}}], "references": [{"name": "https://github.com/forceworkbench/forceworkbench/security/advisories/GHSA-jw63-m86r-2jxc", "tags": ["x_refsource_CONFIRM"], "url": "https://github.com/forceworkbench/forceworkbench/security/advisories/GHSA-jw63-m86r-2jxc"}, {"name": "https://github.com/forceworkbench/forceworkbench/pull/869", "tags": ["x_refsource_MISC"], "url": "https://github.com/forceworkbench/forceworkbench/pull/869"}], "affected": [{"vendor": "forceworkbench", "product": "forceworkbench", "versions": [{"version": "< 65.0.0", "status": "affected"}]}], "providerMetadata": {"orgId": "a0819718-46f1-4df5-94e2-005712e83aaa", "shortName": "GitHub_M", "dateUpdated": "2026-04-06T19:01:21.742Z"}, "descriptions": [{"lang": "en", "value": "Workbench is a suite of tools for administrators and developers to interact with Salesforce.com organizations via the Force.com APIs. Prior to 65.0.0, Workbench contains remote code execution vulnerability in the timezone conversion flow, which processes attacker-controlled cookie values in an unsafe manner. This vulnerability is fixed in 65.0.0."}], "source": {"advisory": "GHSA-jw63-m86r-2jxc", "discovery": "UNKNOWN"}}, "adp": [{"metrics": [{"other": {"type": "ssvc", "content": {"timestamp": "2026-04-07T14:04:40.203244Z", "id": "CVE-2026-35178", "options": [{"Exploitation": "none"}, {"Automatable": "no"}, {"Technical Impact": "total"}], "role": "CISA Coordinator", "version": "2.0.3"}}}], "title": "CISA ADP Vulnrichment", "providerMetadata": {"orgId": "134c704f-9b21-4f2e-91b3-4a467353bcc0", "shortName": "CISA-ADP", "dateUpdated": "2026-04-07T14:04:48.145Z"}}]}}

{"dataType": "CVE_RECORD", "containers": {"cna": {"title": "Workbench Affected by Remote Code Execution (RCE) via Malicious Cookie in Timezone Conversion", "source": {"advisory": "GHSA-jw63-m86r-2jxc", "discovery": "UNKNOWN"}, "metrics": [{"cvssV4_0": {"version": "4.0", "baseScore": 9.3, "attackVector": "NETWORK", "baseSeverity": "CRITICAL", "vectorString": "CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:P/VC:H/VI:H/VA:N/SC:H/SI:H/SA:N", "userInteraction": "PASSIVE", "attackComplexity": "LOW", "attackRequirements": "NONE", "privilegesRequired": "NONE", "subIntegrityImpact": "HIGH", "vulnIntegrityImpact": "HIGH", "subAvailabilityImpact": "NONE", "vulnAvailabilityImpact": "NONE", "subConfidentialityImpact": "HIGH", "vulnConfidentialityImpact": "HIGH"}}], "affected": [{"vendor": "forceworkbench", "product": "forceworkbench", "versions": [{"status": "affected", "version": "< 65.0.0"}]}], "references": [{"url": "https://github.com/forceworkbench/forceworkbench/security/advisories/GHSA-jw63-m86r-2jxc", "name": "https://github.com/forceworkbench/forceworkbench/security/advisories/GHSA-jw63-m86r-2jxc", "tags": ["x_refsource_CONFIRM"]}, {"url": "https://github.com/forceworkbench/forceworkbench/pull/869", "name": "https://github.com/forceworkbench/forceworkbench/pull/869", "tags": ["x_refsource_MISC"]}], "descriptions": [{"lang": "en", "value": "Workbench is a suite of tools for administrators and developers to interact with Salesforce.com organizations via the Force.com APIs. Prior to 65.0.0, Workbench contains remote code execution vulnerability in the timezone conversion flow, which processes attacker-controlled cookie values in an unsafe manner. This vulnerability is fixed in 65.0.0."}], "problemTypes": [{"descriptions": [{"lang": "en", "type": "CWE", "cweId": "CWE-94", "description": "CWE-94: Improper Control of Generation of Code ('Code Injection')"}]}], "providerMetadata": {"orgId": "a0819718-46f1-4df5-94e2-005712e83aaa", "shortName": "GitHub_M", "dateUpdated": "2026-04-06T19:01:21.742Z"}}, "adp": [{"title": "CISA ADP Vulnrichment", "metrics": [{"other": {"type": "ssvc", "content": {"id": "CVE-2026-35178", "role": "CISA Coordinator", "options": [{"Exploitation": "none"}, {"Automatable": "no"}, {"Technical Impact": "total"}], "version": "2.0.3", "timestamp": "2026-04-07T14:04:40.203244Z"}}}], "providerMetadata": {"shortName": "CISA-ADP", "orgId": "134c704f-9b21-4f2e-91b3-4a467353bcc0", "dateUpdated": "2026-04-07T14:04:44.296Z"}}]}, "cveMetadata": {"cveId": "CVE-2026-35178", "state": "PUBLISHED", "dateUpdated": "2026-04-06T19:01:21.742Z", "dateReserved": "2026-04-01T17:26:21.133Z", "assignerOrgId": "a0819718-46f1-4df5-94e2-005712e83aaa", "datePublished": "2026-04-06T19:01:21.742Z", "assignerShortName": "GitHub_M"}, "dataVersion": "5.2"}

{"cveTags": [], "descriptions": [{"lang": "en", "value": "Workbench is a suite of tools for administrators and developers to interact with Salesforce.com organizations via the Force.com APIs. Prior to 65.0.0, Workbench contains remote code execution vulnerability in the timezone conversion flow, which processes attacker-controlled cookie values in an unsafe manner. This vulnerability is fixed in 65.0.0."}], "id": "CVE-2026-35178", "lastModified": "2026-04-07T13:20:11.643", "metrics": {"cvssMetricV40": [{"cvssData": {"Automatable": "NOT_DEFINED", "Recovery": "NOT_DEFINED", "Safety": "NOT_DEFINED", "attackComplexity": "LOW", "attackRequirements": "NONE", "attackVector": "NETWORK", "availabilityRequirement": "NOT_DEFINED", "baseScore": 9.3, "baseSeverity": "CRITICAL", "confidentialityRequirement": "NOT_DEFINED", "exploitMaturity": "NOT_DEFINED", "integrityRequirement": "NOT_DEFINED", "modifiedAttackComplexity": "NOT_DEFINED", "modifiedAttackRequirements": "NOT_DEFINED", "modifiedAttackVector": "NOT_DEFINED", "modifiedPrivilegesRequired": "NOT_DEFINED", "modifiedSubAvailabilityImpact": "NOT_DEFINED", "modifiedSubConfidentialityImpact": "NOT_DEFINED", "modifiedSubIntegrityImpact": "NOT_DEFINED", "modifiedUserInteraction": "NOT_DEFINED", "modifiedVulnAvailabilityImpact": "NOT_DEFINED", "modifiedVulnConfidentialityImpact": "NOT_DEFINED", "modifiedVulnIntegrityImpact": "NOT_DEFINED", "privilegesRequired": "NONE", "providerUrgency": "NOT_DEFINED", "subAvailabilityImpact": "NONE", "subConfidentialityImpact": "HIGH", "subIntegrityImpact": "HIGH", "userInteraction": "PASSIVE", "valueDensity": "NOT_DEFINED", "vectorString": "CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:P/VC:H/VI:H/VA:N/SC:H/SI:H/SA:N/E:X/CR:X/IR:X/AR:X/MAV:X/MAC:X/MAT:X/MPR:X/MUI:X/MVC:X/MVI:X/MVA:X/MSC:X/MSI:X/MSA:X/S:X/AU:X/R:X/V:X/RE:X/U:X", "version": "4.0", "vulnAvailabilityImpact": "NONE", "vulnConfidentialityImpact": "HIGH", "vulnIntegrityImpact": "HIGH", "vulnerabilityResponseEffort": "NOT_DEFINED"}, "source": "security-advisories@github.com", "type": "Secondary"}]}, "published": "2026-04-06T20:16:25.927", "references": [{"source": "security-advisories@github.com", "url": "https://github.com/forceworkbench/forceworkbench/pull/869"}, {"source": "security-advisories@github.com", "url": "https://github.com/forceworkbench/forceworkbench/security/advisories/GHSA-jw63-m86r-2jxc"}], "sourceIdentifier": "security-advisories@github.com", "vulnStatus": "Awaiting Analysis", "weaknesses": [{"description": [{"lang": "en", "value": "CWE-94"}], "source": "security-advisories@github.com", "type": "Primary"}]}

{}

{"affected": [{"configurations": [{"platform": null, "status": "affected", "versions": {"scheme": "semver", "value": "[0,65.0.0)"}}], "enrichment": {"confidence": 100.0, "confidence_source": "cna", "scores": [{"score": 100.0, "source": "cna"}]}, "original": {"product": "forceworkbench", "source": "cna", "vendor": "forceworkbench"}, "product": "forceworkbench", "vendor": "forceworkbench"}], "analysis": {"en": {"generated_at": "2026-04-07T02:09:14.837009+00:00", "value": {"mitigation_remediation": ["Update Force Workbench to version 65.0.0 or later", "Verify the Workbench version after applying the update"], "summary": {"action": "Immediate Patch", "impact": "Remote Code Execution"}, "threat_synthesis": {"affected_systems": "All installations of the Workbench suite with a version older than 65.0.0 are affected. The flaw exists in the administrative and developer tools that interact with Salesforce.com APIs across the code base prior to the patch. Inventorying Workbench deployments and checking the version number is essential to determine exposure.", "description_and_impact": "Workbench contains an unsafe timezone conversion routine that processes cookie values. Maliciously crafted cookies can inject and execute arbitrary code on the server, allowing an attacker to gain full control of the application and potentially the underlying system. This results in a severe confidentiality and integrity compromise.", "risk_and_exploitability": "The CVSS score of 9.3 classifies this vulnerability as critical, and while no public exploit has been reported and EPSS data is not available, the remote code execution nature means any attacker able to set a malicious cookie on the Workbench instance can exploit the flaw. The likely attack vector is inferred to be a remote web request containing the harmful cookie. The vulnerability is not listed in CISA\u2019s KEV catalog, but the high severity and easy exploitation path warrant urgent attention."}}}}, "created": "2026-04-07T06:54:34.624542+00:00", "updated": "2026-04-07T09:37:37.921860+00:00", "vendors": ["forceworkbench", "forceworkbench$PRODUCT$forceworkbench"]}