CVE-2026-10234
Cross-Site Scripting in Mettle SendPortal
Publication date: 2026-06-01
Last updated on: 2026-06-01
Assigner: VulDB
Description
Description
CVSS Scores
EPSS Scores
| Probability: | |
| Percentile: |
Meta Information
Affected Vendors & Products
| Vendor | Product | Version / Range |
|---|---|---|
| mettle | sendportal | to 3.0.1 (inc) |
Helpful Resources
Exploitability
| CWE ID | Description |
|---|---|
| CWE-94 | The product constructs all or part of a code segment using externally-influenced input from an upstream component, but it does not neutralize or incorrectly neutralizes special elements that could modify the syntax or behavior of the intended code segment. |
| CWE-79 | The product does not neutralize or incorrectly neutralizes user-controllable input before it is placed in output that is used as a web page that is served to other users. |
Attack-Flow Graph
AI Powered Q&A
Can you explain this vulnerability to me?
This vulnerability is a stored Cross-Site Scripting (XSS) issue in the Mettle SendPortal application, specifically in the campaign content rendering functionality.
An attacker can inject arbitrary JavaScript code into the content field of a campaign. This malicious script is then rendered without proper sanitization using Laravel Blade's raw rendering directive `{!! $content !!}`.
When the campaign preview page or the public webview link is accessed, the injected JavaScript executes immediately, even without authentication.
How can this vulnerability impact me? :
The impact of this vulnerability includes the potential for session hijacking, unauthorized actions performed via the victim's session, and phishing or credential harvesting attacks.
Because the malicious script executes in the context of the victim's browser, attackers can steal sensitive information or perform actions on behalf of the user.
How can this vulnerability be detected on my network or system? Can you suggest some commands?
This vulnerability can be detected by checking if the SendPortal application is rendering campaign content using the Laravel Blade directive `{!! $content !!}` without proper sanitization. Specifically, the vulnerable file is `vendor/mettle/sendportal-core/resources/views/webview/show.blade.php`.
To detect exploitation attempts on your system or network, you can monitor HTTP requests to the `/webview/{hash}` endpoint for suspicious payloads containing JavaScript code such as `<script>alert("XSS")</script>` or other script tags.
Example commands to detect potential exploitation attempts include:
- Using grep to search web server logs for suspicious script tags: `grep -i '<script>' /var/log/nginx/access.log` or `grep -i '<script>' /var/log/apache2/access.log`
- Using curl to test the vulnerable endpoint with a payload: `curl -X POST -d 'content=<script>alert(1)</script>' https://your-sendportal-domain/webview/{hash}` (replace `{hash}` with an actual campaign hash)
- Review the source code or deployment to verify if the `{!! $content !!}` directive is used without sanitization in the mentioned file.
What immediate steps should I take to mitigate this vulnerability?
Immediate mitigation steps include sanitizing user input before rendering or storing it to prevent execution of malicious JavaScript.
Specifically, it is recommended to use a sanitization tool such as Mews\Purifier\Facades\Purifier to clean the content field.
Additionally, avoid using the raw rendering directive `{!! $content !!}` in Laravel Blade templates. Instead, use the escaped rendering directive `{{ $content }}` to prevent unescaped HTML or script execution.
Since the project has not yet responded with a patch, these code changes or input sanitization should be applied as a temporary fix.
Also, monitor and restrict access to the `/webview/{hash}` endpoint if possible, and educate users about the risk of injecting untrusted content.
How does this vulnerability affect compliance with common standards and regulations (like GDPR, HIPAA)?:
The vulnerability is a stored Cross-Site Scripting (XSS) flaw that allows injection and execution of arbitrary JavaScript in the campaign content rendering functionality. This can lead to session hijacking, unauthorized actions, phishing, and credential harvesting.
Such security issues can impact compliance with common standards and regulations like GDPR and HIPAA because they may lead to unauthorized access to user data, compromise of personal information, and failure to protect data confidentiality and integrity.
Specifically, GDPR requires appropriate technical measures to protect personal data against unauthorized or unlawful processing and against accidental loss, destruction or damage. Similarly, HIPAA mandates safeguards to ensure the confidentiality, integrity, and availability of electronic protected health information.
Since this vulnerability allows remote exploitation and can affect multiple users, it poses a risk to meeting these regulatory requirements unless properly mitigated.