Description
A vulnerability was detected in Mettle sendportal up to 3.0.1. This affects an unknown part of the file /webview/ of the component Campaign Handler. The manipulation of the argument content results in cross site scripting. The attack can be launched remotely. The exploit is now public and may be used. The project was informed of the problem early through an issue report but has not responded yet.
Published: 2026-06-01
Score: 5.1 Medium
EPSS: n/a
KEV: No
Impact: n/a
Action: n/a
AI Analysis

Impact

An attacker can manipulate the content argument for the /webview/ component of the Campaign Handler in Mettle Sendportal, resulting in reflected cross‑site scripting. Because the flaw is present in versions up to 3.0.1, an attacker can supply arbitrary script code from a remote source. Successful exploitation could allow the execution of client‑side code in the victim's browser, enabling credential theft, session hijacking, or malicious page modification. The description explicitly states a remote attack is possible and the exploit is publicly available.

Affected Systems

Mettle Sendportal versions up to and including 3.0.1 are affected. No specific sub‑components are listed beyond the /webview/ path of the Campaign Handler.

Risk and Exploitability

The CVSS score of 5.1 indicates moderate severity. EPSS data is unavailable and the vulnerability is not yet in the CISA KEV catalog, so the expected exploitation frequency is uncertain. However, because the attack vector is remote and the exploit is publicly available, organizations running affected versions should treat the risk as potentially meaningful. The lack of a patch in the vendor’s public channel implies the mitigation will rely on functional workarounds until an official fix is released.

Generated by OpenCVE AI on June 1, 2026 at 08:21 UTC.

Remediation

No vendor fix or workaround currently provided.

OpenCVE Recommended Actions

  • Check Mettle’s official communication channels for a patch or update that addresses the XSS in /webview/ and apply it as soon as available.
  • Configure the web server or application firewall to enforce a strict Content Security Policy that restricts which scripts can be executed on the Campaign Handler pages.
  • If a patch is not yet available, implement input validation on the content argument before it is rendered, or temporarily block remote access to the /webview/ endpoint until a remediation is deployed.

Generated by OpenCVE AI on June 1, 2026 at 08:21 UTC.

Tracking

Sign in to view the affected projects.

Advisories

No advisories yet.

History

Mon, 01 Jun 2026 07:30:00 +0000

Type Values Removed Values Added
Description A vulnerability was detected in Mettle sendportal up to 3.0.1. This affects an unknown part of the file /webview/ of the component Campaign Handler. The manipulation of the argument content results in cross site scripting. The attack can be launched remotely. The exploit is now public and may be used. The project was informed of the problem early through an issue report but has not responded yet.
Title Mettle sendportal Campaign webview cross site scripting
First Time appeared Mettle
Mettle sendportal
Weaknesses CWE-79
CWE-94
CPEs cpe:2.3:a:mettle:sendportal:*:*:*:*:*:*:*:*
Vendors & Products Mettle
Mettle sendportal
References
Metrics cvssV2_0

{'score': 4, 'vector': 'AV:N/AC:L/Au:S/C:N/I:P/A:N/E:POC/RL:ND/RC:UR'}

cvssV3_0

{'score': 3.5, 'vector': 'CVSS:3.0/AV:N/AC:L/PR:L/UI:R/S:U/C:N/I:L/A:N/E:P/RL:X/RC:R'}

cvssV3_1

{'score': 3.5, 'vector': 'CVSS:3.1/AV:N/AC:L/PR:L/UI:R/S:U/C:N/I:L/A:N/E:P/RL:X/RC:R'}

cvssV4_0

{'score': 5.1, 'vector': 'CVSS:4.0/AV:N/AC:L/AT:N/PR:L/UI:P/VC:N/VI:L/VA:N/SC:N/SI:N/SA:N/E:P'}

Subscriptions

Mettle Sendportal
cve-icon MITRE

Status: PUBLISHED

Assigner: VulDB

Published:

Updated: 2026-06-01T07:00:11.419Z

Reserved: 2026-05-31T08:14:20.891Z

Link: CVE-2026-10234

cve-icon Vulnrichment

No data.

cve-icon NVD

Status : Received

Published: 2026-06-01T08:16:19.927

Modified: 2026-06-01T08:16:19.927

Link: CVE-2026-10234

cve-icon Redhat

No data.

cve-icon OpenCVE Enrichment

Updated: 2026-06-01T08:30:24Z

Weaknesses