CVE-2026-10234 Mettle CVE debrief

Who should care

Organizations running self-hosted instances of Mettle SendPortal ≤3.0.1, particularly those with untrusted or compromised user accounts that can create or modify campaign content. Security teams monitoring for unpatched public vulnerabilities with available exploits.

Technical summary

The vulnerability exists in the /webview/ path of the Campaign Handler component in Mettle SendPortal ≤3.0.1. The 'content' parameter accepts user input that is rendered without adequate sanitization, permitting injection of executable scripts. The CVSS 4.0 score of 2.0 (LOW) reflects limited impact scope (integrity only, no confidentiality or availability impact) and required user interaction, though the public exploit availability increases practical risk. The PR:L (low privileges required) in the CVSS vector suggests authenticated access may be needed, consistent with campaign management functionality.

Defensive priority

medium

Recommended defensive actions

• Review and sanitize all user-supplied input to the /webview/ endpoint, particularly the 'content' parameter, using context-appropriate encoding (HTML entity encoding for HTML contexts, JavaScript encoding for script conx
• Implement Content Security Policy (CSP) headers to mitigate impact of any XSS vulnerabilities in the Campaign Handler
• Monitor for and apply updates from the Mettle SendPortal project; consider temporary input validation or WAF rules for the /webview/ path if patching is delayed
• Review GitHub issue #338 for additional technical details and community discussion
• Conduct code review of the Campaign Handler component for additional instances of unsanitized output

Evidence notes

CVE published 2026-06-01 with Vuldb as CNA. GitHub issue #338 filed but vendor non-responsive. CVSS 4.0 vector: AV:N/AC:L/AT:N/PR:L/UI:P/VC:N/VI:L/VA:N/SC:N/SI:N/SA:N/E:P. Weaknesses: CWE-79, CWE-94.

Official resources