Loading…
Loading…
Written by Max Zeshut
Founder at Agentmelt · Last updated Jul 8, 2026
A September 2025 indirect prompt injection vulnerability in Salesforce Agentforce disclosed by Noma Security, scored CVSS 9.4. A field on a public web-to-lead form became an injection vector: Agentforce, processing new leads, would read the payload as instructions and exfiltrate CRM data. ForcedLeak is notable because the attack surface was a *public form*—no compromised employee, no phishing—demonstrating that any customer-facing input field an AI agent consumes is a potential injection vector.