CVE-2026-10234: Mettle Sendportal XSS Vulnerability – Campaign Handler Remote Exploit
Mettle sendportal versions up to 3.0.1 contain a cross-site scripting (XSS) vulnerability in the Campaign Handler component. An authenticated attacker can inject malicious scripts through the content parameter in the /webview/ endpoint, potentially allowing them to steal session cookies, perform actions on behalf of users, or redirect users to malicious sites. The vulnerability requires user interaction to be effective and does not grant direct administrative access. Exploit code is publicly available, elevating practical risk despite the low CVSS score.
Source data · NVD / CISA · public domain
- CVSS
- 3.1 · 3.5 LOW · CVSS:3.1/AV:N/AC:L/PR:L/UI:R/S:U/C:N/I:L/A:N
- Weaknesses (CWE)
- CWE-79, CWE-94
- Affected products
- 0 configuration(s)
- Published / Modified
- 2026-06-01 / 2026-06-17
NVD description (verbatim)
A vulnerability was detected in Mettle sendportal up to 3.0.1. This affects an unknown part of the file /webview/ of the component Campaign Handler. The manipulation of the argument content results in cross site scripting. The attack can be launched remotely. The exploit is now public and may be used. The project was informed of the problem early through an issue report but has not responded yet.
7 reference(s) · View on NVD →
SEC.co analysis · AI-assisted, reviewed against source
Technical summary
CVE-2026-10234 is a stored or reflected XSS vulnerability (CWE-79) affecting Mettle sendportal through version 3.0.1. The vulnerability resides in the Campaign Handler's /webview/ endpoint, where the content parameter is not adequately sanitized or escaped before rendering in a user's browser. An authenticated attacker with campaign creation or editing privileges can inject arbitrary JavaScript that executes in the context of another user's session. The vulnerability carries a CVSS v3.1 score of 3.5 (LOW) with the vector CVSS:3.1/AV:N/AC:L/PR:L/UI:R/S:U/C:N/I:L/A:N, indicating network-based attack, low complexity, required login, necessary user interaction, and limited integrity impact. Related weakness CWE-94 may indicate unsafe dynamic code evaluation in addition to direct DOM injection.
Business impact
While CVSS scoring reflects limited direct damage potential, the public availability of exploit code and the authenticated-but-low-barrier entry point create operational risk. An attacker with valid sendportal credentials—obtained through phishing, credential stuffing, or insider access—can craft campaigns that execute scripts when viewed by other users. Potential consequences include unauthorized campaign data exfiltration, user session hijacking, defacement of campaign content, or social engineering via malicious redirects embedded in campaigns. Organizations relying on sendportal for email campaigns should consider reputational and compliance implications if user interactions are compromised.
Affected systems
Mettle sendportal up to and including version 3.0.1 is affected. The vulnerability affects the Campaign Handler component's web view functionality. No patch version or specific remediation version was provided in the vulnerability notice at the time of publication. Users should consult the Mettle sendportal project repository or vendor advisory to determine the earliest patched version.
Exploitability
Exploitability is moderate in practice despite low CVSS. Exploitation requires: (1) valid authentication credentials to the sendportal instance, (2) the ability to create or modify a campaign, and (3) a target user to click a link or view campaign content. Public exploit availability lowers the technical barrier for attackers who have already obtained credentials. The attack does not require administrator rights, making it accessible to standard users. Social engineering or credential compromise via unrelated breaches significantly increases risk.
Remediation
Upgrade Mettle sendportal to a version newer than 3.0.1. Verify the specific patched version against the official Mettle sendportal release notes or GitHub repository. In the interim, restrict campaign creation and editing permissions to trusted users only, enforce strong authentication (multi-factor authentication if supported), and educate staff about not clicking unverified campaign preview links. Input validation and output encoding reviews of the /webview/ endpoint should be prioritized in any patched version.
Patch guidance
Apply the latest version of Mettle sendportal released after 3.0.1. Confirm the patched version number against the official Mettle project advisory or GitHub releases before deployment. Test the upgrade in a non-production environment first to ensure compatibility with existing campaigns and integrations. After patching, clear any cached campaign previews and reset user sessions to ensure old XSS payloads are not replayed. Monitor logs for signs of prior exploitation (unusual JavaScript in campaign content fields).
Detection guidance
Monitor sendportal logs and database records for suspicious campaign content containing script tags, event handlers (onload, onerror, onclick), or encoded JavaScript. Search campaign content fields for common XSS payloads such as <script>, javascript:, or data: URLs. Inspect HTTP requests to /webview/ endpoints for anomalous content parameters. Correlate campaign modifications with user accounts that typically do not create campaigns. Use Web Application Firewalls (WAF) rules to block or alert on requests containing script injection patterns in the content parameter. Enable detailed audit logging of all campaign creation and modification events.
Why prioritize this
Although CVSS is low (3.5), this vulnerability warrants near-term attention due to public exploit availability and the low barrier to entry for authenticated attackers. Organizations should prioritize patching if sendportal instances are internet-facing or accessible to contractors and partners. The lack of vendor response at time of publication adds uncertainty about patch timelines; proactive mitigation controls and monitoring are essential while awaiting an official fix.
Risk score, explained
The CVSS v3.1 score of 3.5 (LOW) reflects the requirement for authentication and user interaction, combined with limited direct impact (integrity only, no confidentiality or availability loss). However, the public availability of exploit code, the ease of leveraging credential compromise, and the potential for supply-chain risk (malicious campaigns affecting end recipients) justify higher operational risk than the base score alone suggests. Organizations should layer detection and access controls rather than rely solely on the CVSS rating to deprioritize this issue.
Frequently asked questions
Do I need administrator privileges to exploit this vulnerability?
No. Any authenticated user with campaign creation or editing rights can inject malicious content. This lowers the barrier significantly compared to vulnerabilities requiring admin-level access. Credential compromise or insider threats pose material risk.
Will upgrading sendportal automatically remove malicious scripts from existing campaigns?
Upgrading the application code will fix the underlying XSS flaw, but it does not retroactively sanitize campaign content already stored in the database. After patching, audit campaign content for suspicious scripts and manually remove or quarantine affected campaigns.
Is this vulnerability in the CISA KEV catalog?
No, this vulnerability is not currently listed in the CISA Known Exploited Vulnerabilities (KEV) catalog. However, the presence of public exploit code and active discussion in security forums warrants treating it with the same urgency as KEV entries.
Does this vulnerability allow an attacker to steal user passwords?
No directly. However, an attacker can steal session cookies or credentials entered after viewing a malicious campaign. Users should reset passwords and revoke active sessions after any suspected compromise.
This analysis is provided for informational purposes and does not constitute professional security advice. Verify all patch version numbers and technical details against official Mettle sendportal advisories and release notes before deploying fixes. Organizations should conduct their own risk assessment based on their specific environment, sendportal deployment scope, and user base. SEC.co disclaims liability for any damage or misuse resulting from this information. Always test patches in a non-production environment before production deployment. Source: NVD (public-domain), retrieved 2026-07-07. Analysis generated by SEC.co (claude-haiku-4-5).
Related vulnerabilities
- CVE-2026-10112LOWXSS in STUDENT-MANAGEMENT-SYSTEM 1.0 Dashboard
- CVE-2026-10228LOWXSS Vulnerability in raisulislamg4 Student Management System
- CVE-2026-10244LOWSourceCodester Pharmacy Sales and Inventory System XSS Vulnerability
- CVE-2026-10245LOWStored XSS in SourceCodester Pharmacy Sales and Inventory System 1.0
- CVE-2026-10246LOWStored XSS in SourceCodester Pharmacy System 1.0 – Remediation Guide
- CVE-2026-10247LOWXSS in SourceCodester Pharmacy Sales System 1.0
- CVE-2026-10514LOWCordysCRM Cross-Site Scripting (XSS) Vulnerability – Patch to 1.7.0
- CVE-2026-10529LOWwestboy CicadasCMS XSS in Task Scheduling Module