CVE-2026-34951
Received Received - Intake
Reflected XSS in Workbench FooterScripts Allows Error Page Attacks

Publication date: 2026-04-06

Last updated on: 2026-04-14

Assigner: GitHub, Inc.

Description
Workbench is a suite of tools for administrators and developers to interact with Salesforce.com organizations via the Force.com APIs. Prior to 65.0.0, Workbench contains a reflected cross-site scripting vulnerability via the footerScripts parameter, which does not sanitize user-supplied input before rendering it in the page response. Improper neutralization of input during web page generation ('cross-site scripting') vulnerability in Workbench allows XSS Targeting Error Pages. This vulnerability is fixed in 65.0.0.
CVSS Scores
EPSS Scores
Probability:
Percentile:
Meta Information
Published
2026-04-06
Last Modified
2026-04-14
Generated
2026-06-16
AI Q&A
2026-04-06
EPSS Evaluated
2026-06-15
NVD
CVE-2026-34951
EUVD
EUVD-2026-19357
Affected Vendors & Products
Showing 1 associated CPE
Vendor Product Version / Range
salesforce workbench to 65.0.0 (exc)
Helpful Resources
Exploitability
CWE
CWE Icon
KEV
KEV Icon
CWE ID Description
CWE-79 The product does not neutralize or incorrectly neutralizes user-controllable input before it is placed in output that is used as a web page that is served to other users.
Attack-Flow Graph
AI Quick Actions
Instant insights powered by AI
Compliance Impact

The provided information does not specify any direct impact of this reflected cross-site scripting (XSS) vulnerability on compliance with common standards and regulations such as GDPR or HIPAA.

Impact Analysis

This vulnerability can allow attackers to hijack authenticated user sessions by injecting malicious scripts via the footerScripts parameter.

The impact includes limited information disclosure and limited unauthorized modification, but no impact on system availability.

  • Attackers can remotely exploit this vulnerability over the network.
  • No privileges are required for an attacker to exploit this vulnerability.
  • User interaction is required for the attack to succeed.
Executive Summary

CVE-2026-34951 is a reflected cross-site scripting (XSS) vulnerability in the Workbench PHP package used to interact with Salesforce.com organizations. It occurs because the footerScripts parameter does not properly sanitize user-supplied input before rendering it in the page response.

This improper neutralization allows attackers to inject malicious scripts that execute in the context of a victim's browser, particularly targeting error pages.

The vulnerability affects all versions up to and including 53.0.0 and has been fixed in version 65.0.0.

Detection Guidance

This vulnerability is a reflected cross-site scripting (XSS) issue involving the footerScripts parameter in Workbench versions up to 53.0.0. Detection involves testing if the footerScripts parameter improperly sanitizes input and reflects it in the page response.

A common method to detect reflected XSS vulnerabilities is to send a crafted HTTP request with a benign script payload in the footerScripts parameter and observe if it is executed or reflected unsanitized in the response.

For example, you can use curl or similar tools to send a request like:

  • curl -v "http://[target]/footer.php?footerScripts=<script>alert('XSS')</script>"

If the response contains the script tag unescaped or the script executes in a browser, the vulnerability is present.

Mitigation Strategies

The primary mitigation step is to upgrade Workbench to version 65.0.0 or later, where this reflected XSS vulnerability has been fixed.

Until the upgrade can be performed, users should avoid interacting with untrusted input in the footerScripts parameter and consider restricting access to the affected Workbench versions.

Additionally, applying web application firewall (WAF) rules to detect and block suspicious scripts in requests targeting the footerScripts parameter can help reduce risk.

Chat Assistant
Ask questions about this CVE
Hi! I’m here to help you understand CVE-2026-34951. Ask me anything about the vulnerability, its impact, or mitigation strategies.
0/70
EPSS Chart