CVE-2026-10234
Description
Stored XSS vulnerability in Mettle SendPortal up to 3.0.1 via unescaped Blade rendering in campaign webview allows authenticated users to inject arbitrary JavaScript.
AI Insight
LLM-synthesized narrative grounded in this CVE's description and references.
Stored XSS vulnerability in Mettle SendPortal up to 3.0.1 via unescaped Blade rendering in campaign webview allows authenticated users to inject arbitrary JavaScript.
Vulnerability
A stored cross-site scripting (XSS) vulnerability exists in Mettle SendPortal up to version 3.0.1. The issue resides in the file /vendor/mettle/sendportal-core/resources/views/webview/show.blade.php, where user-supplied content in the campaign editor is rendered using Laravel Blade's {!! !!} directive without sanitization. This allows an authenticated user to inject arbitrary JavaScript into the content field, which is executed when the campaign preview or the public webview link is accessed [1].
Exploitation
An attacker must first authenticate as a valid user. They then create a campaign and, in the Content field, insert a malicious payload such as `. Upon saving, the script is stored. When the attacker or another user opens the campaign preview page, or when the public webview link (/webview/{hash}`) is accessed (even in incognito mode), the JavaScript executes without further authentication [1].
Impact
Successful exploitation results in stored XSS that can affect multiple users. Because the script runs in the application's origin, an attacker could potentially hijack user sessions, perform unauthorized actions on behalf of victims, or conduct phishing and credential harvesting attacks [1].
Mitigation
As of the publication date, the vendor has not responded to the issue and no official patch has been released. The recommended fix is to sanitize user input using a library like Mews\Purifier\Facades\Purifier before storing, and to avoid using raw Blade directives ({!! !!}) unless content is properly escaped [1].
AI Insight generated on Jun 1, 2026. Synthesized from this CVE's description and the cited reference URLs; citations are validated against the source bundle.
Affected products
1- Range: <=3.0.1
Patches
0No patches discovered yet.
Vulnerability mechanics
Root cause
"User-controlled campaign content is rendered without HTML escaping via Laravel Blade's `{!! !!}` directive, enabling stored cross-site scripting."
Attack vector
An authenticated attacker creates or edits a campaign and injects malicious JavaScript into the `content` field [ref_id=1]. The payload is stored and later rendered unescaped via the `{!! !!}` Blade directive [CWE-79]. The attack triggers when any user (including the attacker) opens the campaign preview page or accesses the public webview link at `/webview/{hash}` [ref_id=1]. No special network position is required beyond standard web access.
Affected code
The vulnerable file is `vendor/mettle/sendportal-core/resources/views/webview/show.blade.php`. The component uses Laravel Blade's `{!! !!}` directive to render the campaign `content` field without escaping, which allows stored XSS. The attack vector is the `/webview/` route and the campaign preview page.
What the fix does
The advisory recommends sanitizing user input with `Mews\Purifier\Facades\Purifier::clean()` before storing the content, and avoiding raw Blade rendering (`{!! !!}`) unless strictly necessary [ref_id=1]. No official patch has been released by the vendor as of the advisory publication.
Preconditions
- authAttacker must have a valid user account on the Sendportal instance
- inputAttacker must be able to create or edit a campaign with a content field
Reproduction
Login as a valid user, navigate to `/campaigns/create`, fill required fields, enter `<script>alert("XSS")</script>` in the Content field, click 'Save and continue'. The script executes immediately on the preview page and also on the public `/webview/{hash}` page [ref_id=1].
Generated on Jun 1, 2026. Inputs: CWE entries + fix-commit diffs from this CVE's patches. Citations validated against bundle.
References
6News mentions
0No linked articles in our index yet.