Search
Find a vulnerability
Search criteria
ⓘ
Use this form to refine search results.
Full-text search supports keyword queries with ranking and filtering.
You can combine vendor, product, and sources to narrow results.
Enable “Apply ordering” to sort by date instead of relevance.
8 vulnerabilities by Mettle
CVE-2026-15192 (GCVE-0-2026-15192)
Vulnerability from nvd – Published: 2026-07-09 16:30 – Updated: 2026-07-09 18:08
VLAI
EPSS
VEX
Title
mettle sendportal APIv1 Webhooks mailjet missing authentication
Summary
A vulnerability has been found in mettle sendportal up to 3.0.1. This issue affects the function sendgrid/postmark/postal/mailjet of the component APIv1 Webhooks. The manipulation leads to missing authentication. The attack is possible to be carried out remotely. The exploit has been disclosed to the public and may be used. The project was informed of the problem early through an issue report but has not responded yet.
Severity
SSVC
Exploitation: poc
Automatable: yes
Technical Impact: partial
CISA Coordinator (v2.0.3)
Assigner
References
6 references
| URL | Tags |
|---|---|
| https://vuldb.com/vuln/377118 | vdb-entrytechnical-description |
| https://vuldb.com/vuln/377118/cti | signaturepermissions-required |
| https://vuldb.com/cve/CVE-2026-15192 | third-party-advisory |
| https://vuldb.com/submit/851624 | third-party-advisory |
| https://github.com/mettle/sendportal/issues/340 | exploitissue-tracking |
| https://github.com/mettle/sendportal/ | product |
Impacted products
1 product
| Vendor | Product | Version | |
|---|---|---|---|
| mettle | sendportal |
Affected:
3.0.0
Affected: 3.0.1 cpe:2.3:a:mettle:sendportal:*:*:*:*:*:*:*:* |
Credits
{
"containers": {
"adp": [
{
"metrics": [
{
"other": {
"content": {
"id": "CVE-2026-15192",
"options": [
{
"Exploitation": "poc"
},
{
"Automatable": "yes"
},
{
"Technical Impact": "partial"
}
],
"role": "CISA Coordinator",
"timestamp": "2026-07-09T17:53:27.825956Z",
"version": "2.0.3"
},
"type": "ssvc"
}
}
],
"providerMetadata": {
"dateUpdated": "2026-07-09T18:08:24.940Z",
"orgId": "134c704f-9b21-4f2e-91b3-4a467353bcc0",
"shortName": "CISA-ADP"
},
"title": "CISA ADP Vulnrichment"
}
],
"cna": {
"affected": [
{
"cpes": [
"cpe:2.3:a:mettle:sendportal:*:*:*:*:*:*:*:*"
],
"modules": [
"APIv1 Webhooks"
],
"product": "sendportal",
"vendor": "mettle",
"versions": [
{
"status": "affected",
"version": "3.0.0"
},
{
"status": "affected",
"version": "3.0.1"
}
]
}
],
"credits": [
{
"lang": "en",
"type": "reporter",
"value": "Superman_04 (VulDB User)"
},
{
"lang": "en",
"type": "coordinator",
"value": "VulDB CNA Team"
}
],
"descriptions": [
{
"lang": "en",
"value": "A vulnerability has been found in mettle sendportal up to 3.0.1. This issue affects the function sendgrid/postmark/postal/mailjet of the component APIv1 Webhooks. The manipulation leads to missing authentication. The attack is possible to be carried out remotely. The exploit has been disclosed to the public and may be used. The project was informed of the problem early through an issue report but has not responded yet."
}
],
"metrics": [
{
"cvssV4_0": {
"baseScore": 6.9,
"baseSeverity": "MEDIUM",
"vectorString": "CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:N/VC:N/VI:L/VA:L/SC:N/SI:N/SA:N/E:P",
"version": "4.0"
}
},
{
"cvssV3_1": {
"baseScore": 6.5,
"baseSeverity": "MEDIUM",
"vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:L/A:L/E:P/RL:X/RC:R",
"version": "3.1"
}
},
{
"cvssV3_0": {
"baseScore": 6.5,
"baseSeverity": "MEDIUM",
"vectorString": "CVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:L/A:L/E:P/RL:X/RC:R",
"version": "3.0"
}
},
{
"cvssV2_0": {
"baseScore": 6.4,
"vectorString": "AV:N/AC:L/Au:N/C:N/I:P/A:P/E:POC/RL:ND/RC:UR",
"version": "2.0"
}
}
],
"problemTypes": [
{
"descriptions": [
{
"cweId": "CWE-306",
"description": "Missing Authentication",
"lang": "en",
"type": "CWE"
}
]
},
{
"descriptions": [
{
"cweId": "CWE-287",
"description": "Improper Authentication",
"lang": "en",
"type": "CWE"
}
]
}
],
"providerMetadata": {
"dateUpdated": "2026-07-09T16:30:09.358Z",
"orgId": "1af790b2-7ee1-4545-860a-a788eba489b5",
"shortName": "VulDB"
},
"references": [
{
"name": "VDB-377118 | mettle sendportal APIv1 Webhooks mailjet missing authentication",
"tags": [
"vdb-entry",
"technical-description"
],
"url": "https://vuldb.com/vuln/377118"
},
{
"name": "VDB-377118 | CTI Indicators (IOB, IOC, IOA)",
"tags": [
"signature",
"permissions-required"
],
"url": "https://vuldb.com/vuln/377118/cti"
},
{
"name": "CVE-2026-15192 | CVE Analysis and Report",
"tags": [
"third-party-advisory"
],
"url": "https://vuldb.com/cve/CVE-2026-15192"
},
{
"name": "Submit #851624 | Mettle sendportal Latest Improper Authentication",
"tags": [
"third-party-advisory"
],
"url": "https://vuldb.com/submit/851624"
},
{
"tags": [
"exploit",
"issue-tracking"
],
"url": "https://github.com/mettle/sendportal/issues/340"
},
{
"tags": [
"product"
],
"url": "https://github.com/mettle/sendportal/"
}
],
"timeline": [
{
"lang": "en",
"time": "2026-07-09T00:00:00.000Z",
"value": "Advisory disclosed"
},
{
"lang": "en",
"time": "2026-07-09T02:00:00.000Z",
"value": "VulDB entry created"
},
{
"lang": "en",
"time": "2026-07-09T07:41:22.000Z",
"value": "VulDB entry last update"
}
],
"title": "mettle sendportal APIv1 Webhooks mailjet missing authentication"
}
},
"cveMetadata": {
"assignerOrgId": "1af790b2-7ee1-4545-860a-a788eba489b5",
"assignerShortName": "VulDB",
"cveId": "CVE-2026-15192",
"datePublished": "2026-07-09T16:30:09.358Z",
"dateReserved": "2026-07-09T05:36:19.016Z",
"dateUpdated": "2026-07-09T18:08:24.940Z",
"state": "PUBLISHED"
},
"dataType": "CVE_RECORD",
"dataVersion": "5.2"
}
CVE-2026-15191 (GCVE-0-2026-15191)
Vulnerability from nvd – Published: 2026-07-09 16:00 – Updated: 2026-07-14 00:59
VLAI
EPSS
VEX
Title
mettle sendportal Campaign Creation Endpoint CampaignStoreRequest.php authorization
Summary
A flaw has been found in mettle sendportal up to 3.0.1. This vulnerability affects unknown code of the file vendor/mettle/sendportal-core/src/Http/Requests/CampaignStoreRequest.php of the component Campaign Creation Endpoint. Executing a manipulation can lead to authorization bypass. The attack can be executed remotely. The exploit has been published and may be used. The project was informed of the problem early through an issue report but has not responded yet.
Severity
SSVC
Exploitation: poc
Automatable: no
Technical Impact: partial
CISA Coordinator (v2.0.3)
Assigner
References
6 references
| URL | Tags |
|---|---|
| https://vuldb.com/vuln/377117 | vdb-entry |
| https://vuldb.com/vuln/377117/cti | signaturepermissions-required |
| https://vuldb.com/cve/CVE-2026-15191 | third-party-advisory |
| https://vuldb.com/submit/851622 | third-party-advisory |
| https://github.com/mettle/sendportal/issues/339 | exploitissue-tracking |
| https://github.com/mettle/sendportal/ | product |
Impacted products
1 product
| Vendor | Product | Version | |
|---|---|---|---|
| mettle | sendportal |
Affected:
3.0.0
Affected: 3.0.1 cpe:2.3:a:mettle:sendportal:*:*:*:*:*:*:*:* |
Credits
{
"containers": {
"adp": [
{
"metrics": [
{
"other": {
"content": {
"id": "CVE-2026-15191",
"options": [
{
"Exploitation": "poc"
},
{
"Automatable": "no"
},
{
"Technical Impact": "partial"
}
],
"role": "CISA Coordinator",
"timestamp": "2026-07-14T00:59:05.928272Z",
"version": "2.0.3"
},
"type": "ssvc"
}
}
],
"providerMetadata": {
"dateUpdated": "2026-07-14T00:59:15.934Z",
"orgId": "134c704f-9b21-4f2e-91b3-4a467353bcc0",
"shortName": "CISA-ADP"
},
"title": "CISA ADP Vulnrichment"
}
],
"cna": {
"affected": [
{
"cpes": [
"cpe:2.3:a:mettle:sendportal:*:*:*:*:*:*:*:*"
],
"modules": [
"Campaign Creation Endpoint"
],
"product": "sendportal",
"vendor": "mettle",
"versions": [
{
"status": "affected",
"version": "3.0.0"
},
{
"status": "affected",
"version": "3.0.1"
}
]
}
],
"credits": [
{
"lang": "en",
"type": "reporter",
"value": "Superman_04 (VulDB User)"
},
{
"lang": "en",
"type": "coordinator",
"value": "VulDB CNA Team"
}
],
"descriptions": [
{
"lang": "en",
"value": "A flaw has been found in mettle sendportal up to 3.0.1. This vulnerability affects unknown code of the file vendor/mettle/sendportal-core/src/Http/Requests/CampaignStoreRequest.php of the component Campaign Creation Endpoint. Executing a manipulation can lead to authorization bypass. The attack can be executed remotely. The exploit has been published and may be used. The project was informed of the problem early through an issue report but has not responded yet."
}
],
"metrics": [
{
"cvssV4_0": {
"baseScore": 5.3,
"baseSeverity": "MEDIUM",
"vectorString": "CVSS:4.0/AV:N/AC:L/AT:N/PR:L/UI:N/VC:L/VI:L/VA:L/SC:N/SI:N/SA:N/E:P",
"version": "4.0"
}
},
{
"cvssV3_1": {
"baseScore": 6.3,
"baseSeverity": "MEDIUM",
"vectorString": "CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:L/I:L/A:L/E:P/RL:X/RC:R",
"version": "3.1"
}
},
{
"cvssV3_0": {
"baseScore": 6.3,
"baseSeverity": "MEDIUM",
"vectorString": "CVSS:3.0/AV:N/AC:L/PR:L/UI:N/S:U/C:L/I:L/A:L/E:P/RL:X/RC:R",
"version": "3.0"
}
},
{
"cvssV2_0": {
"baseScore": 6.5,
"vectorString": "AV:N/AC:L/Au:S/C:P/I:P/A:P/E:POC/RL:ND/RC:UR",
"version": "2.0"
}
}
],
"problemTypes": [
{
"descriptions": [
{
"cweId": "CWE-639",
"description": "Authorization Bypass",
"lang": "en",
"type": "CWE"
}
]
},
{
"descriptions": [
{
"cweId": "CWE-285",
"description": "Improper Authorization",
"lang": "en",
"type": "CWE"
}
]
}
],
"providerMetadata": {
"dateUpdated": "2026-07-09T16:00:08.591Z",
"orgId": "1af790b2-7ee1-4545-860a-a788eba489b5",
"shortName": "VulDB"
},
"references": [
{
"name": "VDB-377117 | mettle sendportal Campaign Creation Endpoint CampaignStoreRequest.php authorization",
"tags": [
"vdb-entry"
],
"url": "https://vuldb.com/vuln/377117"
},
{
"name": "VDB-377117 | CTI Indicators (IOB, IOC, IOA)",
"tags": [
"signature",
"permissions-required"
],
"url": "https://vuldb.com/vuln/377117/cti"
},
{
"name": "CVE-2026-15191 | CVE Analysis and Report",
"tags": [
"third-party-advisory"
],
"url": "https://vuldb.com/cve/CVE-2026-15191"
},
{
"name": "Submit #851622 | Mettle SendPortal Latest Authorization Bypass",
"tags": [
"third-party-advisory"
],
"url": "https://vuldb.com/submit/851622"
},
{
"tags": [
"exploit",
"issue-tracking"
],
"url": "https://github.com/mettle/sendportal/issues/339"
},
{
"tags": [
"product"
],
"url": "https://github.com/mettle/sendportal/"
}
],
"timeline": [
{
"lang": "en",
"time": "2026-07-09T00:00:00.000Z",
"value": "Advisory disclosed"
},
{
"lang": "en",
"time": "2026-07-09T02:00:00.000Z",
"value": "VulDB entry created"
},
{
"lang": "en",
"time": "2026-07-09T07:39:18.000Z",
"value": "VulDB entry last update"
}
],
"title": "mettle sendportal Campaign Creation Endpoint CampaignStoreRequest.php authorization"
}
},
"cveMetadata": {
"assignerOrgId": "1af790b2-7ee1-4545-860a-a788eba489b5",
"assignerShortName": "VulDB",
"cveId": "CVE-2026-15191",
"datePublished": "2026-07-09T16:00:08.591Z",
"dateReserved": "2026-07-09T05:33:07.527Z",
"dateUpdated": "2026-07-14T00:59:15.934Z",
"state": "PUBLISHED"
},
"dataType": "CVE_RECORD",
"dataVersion": "5.2"
}
CVE-2026-10234 (GCVE-0-2026-10234)
Vulnerability from nvd – Published: 2026-06-01 07:00 – Updated: 2026-06-02 13:44
VLAI
EPSS
VEX
Title
Mettle sendportal Campaign webview cross site scripting
Summary
A vulnerability was detected in Mettle sendportal up to 3.0.1. This affects an unknown part of the file /webview/ of the component Campaign Handler. The manipulation of the argument content results in cross site scripting. The attack can be launched remotely. The exploit is now public and may be used. The project was informed of the problem early through an issue report but has not responded yet.
Severity
SSVC
Exploitation: poc
Automatable: no
Technical Impact: partial
CISA Coordinator (v2.0.3)
Assigner
References
7 references
| URL | Tags |
|---|---|
| https://vuldb.com/vuln/367513 | vdb-entrytechnical-description |
| https://vuldb.com/vuln/367513/cti | signaturepermissions-required |
| https://vuldb.com/cve/CVE-2026-10234 | third-party-advisory |
| https://vuldb.com/submit/822923 | third-party-advisory |
| https://vuldb.com/submit/825494 | third-party-advisory |
| https://github.com/mettle/sendportal/issues/338 | exploitissue-tracking |
| https://github.com/mettle/sendportal/ | product |
Impacted products
1 product
| Vendor | Product | Version | |
|---|---|---|---|
| Mettle | sendportal |
Affected:
3.0.0
Affected: 3.0.1 cpe:2.3:a:mettle:sendportal:*:*:*:*:*:*:*:* |
Credits
{
"containers": {
"adp": [
{
"metrics": [
{
"other": {
"content": {
"id": "CVE-2026-10234",
"options": [
{
"Exploitation": "poc"
},
{
"Automatable": "no"
},
{
"Technical Impact": "partial"
}
],
"role": "CISA Coordinator",
"timestamp": "2026-06-01T13:25:43.249131Z",
"version": "2.0.3"
},
"type": "ssvc"
}
}
],
"providerMetadata": {
"dateUpdated": "2026-06-01T13:25:52.722Z",
"orgId": "134c704f-9b21-4f2e-91b3-4a467353bcc0",
"shortName": "CISA-ADP"
},
"title": "CISA ADP Vulnrichment"
}
],
"cna": {
"affected": [
{
"cpes": [
"cpe:2.3:a:mettle:sendportal:*:*:*:*:*:*:*:*"
],
"modules": [
"Campaign Handler"
],
"product": "sendportal",
"vendor": "Mettle",
"versions": [
{
"status": "affected",
"version": "3.0.0"
},
{
"status": "affected",
"version": "3.0.1"
}
]
}
],
"credits": [
{
"lang": "en",
"type": "finder",
"value": "Kabilan D"
},
{
"lang": "en",
"type": "reporter",
"value": "B1scuit (VulDB User)"
},
{
"lang": "en",
"type": "analyst",
"value": "Superman_04 (VulDB User)"
},
{
"lang": "en",
"type": "coordinator",
"value": "VulDB CNA Team"
}
],
"descriptions": [
{
"lang": "en",
"value": "A vulnerability was detected in Mettle sendportal up to 3.0.1. This affects an unknown part of the file /webview/ of the component Campaign Handler. The manipulation of the argument content results in cross site scripting. The attack can be launched remotely. The exploit is now public and may be used. The project was informed of the problem early through an issue report but has not responded yet."
}
],
"metrics": [
{
"cvssV4_0": {
"baseScore": 5.1,
"baseSeverity": "MEDIUM",
"vectorString": "CVSS:4.0/AV:N/AC:L/AT:N/PR:L/UI:P/VC:N/VI:L/VA:N/SC:N/SI:N/SA:N/E:P",
"version": "4.0"
}
},
{
"cvssV3_1": {
"baseScore": 3.5,
"baseSeverity": "LOW",
"vectorString": "CVSS:3.1/AV:N/AC:L/PR:L/UI:R/S:U/C:N/I:L/A:N/E:P/RL:X/RC:R",
"version": "3.1"
}
},
{
"cvssV3_0": {
"baseScore": 3.5,
"baseSeverity": "LOW",
"vectorString": "CVSS:3.0/AV:N/AC:L/PR:L/UI:R/S:U/C:N/I:L/A:N/E:P/RL:X/RC:R",
"version": "3.0"
}
},
{
"cvssV2_0": {
"baseScore": 4,
"vectorString": "AV:N/AC:L/Au:S/C:N/I:P/A:N/E:POC/RL:ND/RC:UR",
"version": "2.0"
}
}
],
"problemTypes": [
{
"descriptions": [
{
"cweId": "CWE-79",
"description": "Cross Site Scripting",
"lang": "en",
"type": "CWE"
}
]
},
{
"descriptions": [
{
"cweId": "CWE-94",
"description": "Code Injection",
"lang": "en",
"type": "CWE"
}
]
}
],
"providerMetadata": {
"dateUpdated": "2026-06-02T13:44:11.395Z",
"orgId": "1af790b2-7ee1-4545-860a-a788eba489b5",
"shortName": "VulDB"
},
"references": [
{
"name": "VDB-367513 | Mettle sendportal Campaign webview cross site scripting",
"tags": [
"vdb-entry",
"technical-description"
],
"url": "https://vuldb.com/vuln/367513"
},
{
"name": "VDB-367513 | CTI Indicators (IOB, IOC, TTP, IOA)",
"tags": [
"signature",
"permissions-required"
],
"url": "https://vuldb.com/vuln/367513/cti"
},
{
"name": "CVE-2026-10234 | CVE Analysis and Report",
"tags": [
"third-party-advisory"
],
"url": "https://vuldb.com/cve/CVE-2026-10234"
},
{
"name": "Submit #822923 | Mettle sendportal v3.0.1 Cross Site Scripting",
"tags": [
"third-party-advisory"
],
"url": "https://vuldb.com/submit/822923"
},
{
"name": "Submit #825494 | mettle sendportal 3.0.1 Cross Site Scripting (Duplicate)",
"tags": [
"third-party-advisory"
],
"url": "https://vuldb.com/submit/825494"
},
{
"tags": [
"exploit",
"issue-tracking"
],
"url": "https://github.com/mettle/sendportal/issues/338"
},
{
"tags": [
"product"
],
"url": "https://github.com/mettle/sendportal/"
}
],
"timeline": [
{
"lang": "en",
"time": "2026-05-02T00:00:00.000Z",
"value": "Advisory disclosed"
},
{
"lang": "en",
"time": "2026-05-31T02:00:00.000Z",
"value": "VulDB entry created"
},
{
"lang": "en",
"time": "2026-06-02T15:46:07.000Z",
"value": "VulDB entry last update"
}
],
"title": "Mettle sendportal Campaign webview cross site scripting"
}
},
"cveMetadata": {
"assignerOrgId": "1af790b2-7ee1-4545-860a-a788eba489b5",
"assignerShortName": "VulDB",
"cveId": "CVE-2026-10234",
"datePublished": "2026-06-01T07:00:11.419Z",
"dateReserved": "2026-05-31T08:14:20.891Z",
"dateUpdated": "2026-06-02T13:44:11.395Z",
"state": "PUBLISHED"
},
"dataType": "CVE_RECORD",
"dataVersion": "5.2"
}
CVE-2026-7145 (GCVE-0-2026-7145)
Vulnerability from nvd – Published: 2026-04-27 17:45 – Updated: 2026-04-29 13:57
VLAI
EPSS
VEX
Title
mettle sendportal Invitation WorkspaceInvitationsController.php destroy authorization
Summary
A weakness has been identified in mettle sendportal up to 3.0.1. Affected is the function destroy of the file app/Http/Controllers/Workspaces/WorkspaceInvitationsController.php of the component Invitation Handler. This manipulation of the argument invitation causes authorization bypass. The attack may be initiated remotely. The project was informed of the problem early through an issue report but has not responded yet.
Severity
SSVC
Exploitation: none
Automatable: no
Technical Impact: partial
CISA Coordinator (v2.0.3)
Assigner
References
5 references
| URL | Tags |
|---|---|
| https://vuldb.com/vuln/359744 | vdb-entrytechnical-description |
| https://vuldb.com/vuln/359744/cti | signaturepermissions-required |
| https://vuldb.com/submit/801781 | third-party-advisory |
| https://github.com/mettle/sendportal/issues/337 | issue-tracking |
| https://github.com/mettle/sendportal/ | product |
Impacted products
1 product
| Vendor | Product | Version | |
|---|---|---|---|
| mettle | sendportal |
Affected:
3.0.0
Affected: 3.0.1 |
Credits
{
"containers": {
"adp": [
{
"metrics": [
{
"other": {
"content": {
"id": "CVE-2026-7145",
"options": [
{
"Exploitation": "none"
},
{
"Automatable": "no"
},
{
"Technical Impact": "partial"
}
],
"role": "CISA Coordinator",
"timestamp": "2026-04-29T13:57:45.953213Z",
"version": "2.0.3"
},
"type": "ssvc"
}
}
],
"providerMetadata": {
"dateUpdated": "2026-04-29T13:57:58.377Z",
"orgId": "134c704f-9b21-4f2e-91b3-4a467353bcc0",
"shortName": "CISA-ADP"
},
"title": "CISA ADP Vulnrichment"
}
],
"cna": {
"affected": [
{
"modules": [
"Invitation Handler"
],
"product": "sendportal",
"vendor": "mettle",
"versions": [
{
"status": "affected",
"version": "3.0.0"
},
{
"status": "affected",
"version": "3.0.1"
}
]
}
],
"credits": [
{
"lang": "en",
"type": "reporter",
"value": "B1scuit (VulDB User)"
},
{
"lang": "en",
"type": "coordinator",
"value": "VulDB CNA Team"
}
],
"descriptions": [
{
"lang": "en",
"value": "A weakness has been identified in mettle sendportal up to 3.0.1. Affected is the function destroy of the file app/Http/Controllers/Workspaces/WorkspaceInvitationsController.php of the component Invitation Handler. This manipulation of the argument invitation causes authorization bypass. The attack may be initiated remotely. The project was informed of the problem early through an issue report but has not responded yet."
}
],
"metrics": [
{
"cvssV4_0": {
"baseScore": 5.3,
"baseSeverity": "MEDIUM",
"vectorString": "CVSS:4.0/AV:N/AC:L/AT:N/PR:L/UI:N/VC:N/VI:L/VA:L/SC:N/SI:N/SA:N/E:X",
"version": "4.0"
}
},
{
"cvssV3_1": {
"baseScore": 5.4,
"baseSeverity": "MEDIUM",
"vectorString": "CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:N/I:L/A:L/E:X/RL:X/RC:R",
"version": "3.1"
}
},
{
"cvssV3_0": {
"baseScore": 5.4,
"baseSeverity": "MEDIUM",
"vectorString": "CVSS:3.0/AV:N/AC:L/PR:L/UI:N/S:U/C:N/I:L/A:L/E:X/RL:X/RC:R",
"version": "3.0"
}
},
{
"cvssV2_0": {
"baseScore": 5.5,
"vectorString": "AV:N/AC:L/Au:S/C:N/I:P/A:P/E:ND/RL:ND/RC:UR",
"version": "2.0"
}
}
],
"problemTypes": [
{
"descriptions": [
{
"cweId": "CWE-639",
"description": "Authorization Bypass",
"lang": "en",
"type": "CWE"
}
]
},
{
"descriptions": [
{
"cweId": "CWE-285",
"description": "Improper Authorization",
"lang": "en",
"type": "CWE"
}
]
}
],
"providerMetadata": {
"dateUpdated": "2026-04-27T17:45:13.740Z",
"orgId": "1af790b2-7ee1-4545-860a-a788eba489b5",
"shortName": "VulDB"
},
"references": [
{
"name": "VDB-359744 | mettle sendportal Invitation WorkspaceInvitationsController.php destroy authorization",
"tags": [
"vdb-entry",
"technical-description"
],
"url": "https://vuldb.com/vuln/359744"
},
{
"name": "VDB-359744 | CTI Indicators (IOB, IOC, IOA)",
"tags": [
"signature",
"permissions-required"
],
"url": "https://vuldb.com/vuln/359744/cti"
},
{
"name": "Submit #801781 | mettle sendportal v3.0.1 Insecure direct object reference",
"tags": [
"third-party-advisory"
],
"url": "https://vuldb.com/submit/801781"
},
{
"tags": [
"issue-tracking"
],
"url": "https://github.com/mettle/sendportal/issues/337"
},
{
"tags": [
"product"
],
"url": "https://github.com/mettle/sendportal/"
}
],
"timeline": [
{
"lang": "en",
"time": "2026-04-26T00:00:00.000Z",
"value": "Advisory disclosed"
},
{
"lang": "en",
"time": "2026-04-26T02:00:00.000Z",
"value": "VulDB entry created"
},
{
"lang": "en",
"time": "2026-04-26T21:58:38.000Z",
"value": "VulDB entry last update"
}
],
"title": "mettle sendportal Invitation WorkspaceInvitationsController.php destroy authorization"
}
},
"cveMetadata": {
"assignerOrgId": "1af790b2-7ee1-4545-860a-a788eba489b5",
"assignerShortName": "VulDB",
"cveId": "CVE-2026-7145",
"datePublished": "2026-04-27T17:45:13.740Z",
"dateReserved": "2026-04-26T19:53:34.428Z",
"dateUpdated": "2026-04-29T13:57:58.377Z",
"state": "PUBLISHED"
},
"dataType": "CVE_RECORD",
"dataVersion": "5.2"
}
CVE-2026-15192 (GCVE-0-2026-15192)
Vulnerability from cvelistv5 – Published: 2026-07-09 16:30 – Updated: 2026-07-09 18:08
VLAI
EPSS
VEX
Title
mettle sendportal APIv1 Webhooks mailjet missing authentication
Summary
A vulnerability has been found in mettle sendportal up to 3.0.1. This issue affects the function sendgrid/postmark/postal/mailjet of the component APIv1 Webhooks. The manipulation leads to missing authentication. The attack is possible to be carried out remotely. The exploit has been disclosed to the public and may be used. The project was informed of the problem early through an issue report but has not responded yet.
Severity
SSVC
Exploitation: poc
Automatable: yes
Technical Impact: partial
CISA Coordinator (v2.0.3)
Assigner
References
6 references
| URL | Tags |
|---|---|
| https://vuldb.com/vuln/377118 | vdb-entrytechnical-description |
| https://vuldb.com/vuln/377118/cti | signaturepermissions-required |
| https://vuldb.com/cve/CVE-2026-15192 | third-party-advisory |
| https://vuldb.com/submit/851624 | third-party-advisory |
| https://github.com/mettle/sendportal/issues/340 | exploitissue-tracking |
| https://github.com/mettle/sendportal/ | product |
Impacted products
1 product
| Vendor | Product | Version | |
|---|---|---|---|
| mettle | sendportal |
Affected:
3.0.0
Affected: 3.0.1 cpe:2.3:a:mettle:sendportal:*:*:*:*:*:*:*:* |
Credits
{
"containers": {
"adp": [
{
"metrics": [
{
"other": {
"content": {
"id": "CVE-2026-15192",
"options": [
{
"Exploitation": "poc"
},
{
"Automatable": "yes"
},
{
"Technical Impact": "partial"
}
],
"role": "CISA Coordinator",
"timestamp": "2026-07-09T17:53:27.825956Z",
"version": "2.0.3"
},
"type": "ssvc"
}
}
],
"providerMetadata": {
"dateUpdated": "2026-07-09T18:08:24.940Z",
"orgId": "134c704f-9b21-4f2e-91b3-4a467353bcc0",
"shortName": "CISA-ADP"
},
"title": "CISA ADP Vulnrichment"
}
],
"cna": {
"affected": [
{
"cpes": [
"cpe:2.3:a:mettle:sendportal:*:*:*:*:*:*:*:*"
],
"modules": [
"APIv1 Webhooks"
],
"product": "sendportal",
"vendor": "mettle",
"versions": [
{
"status": "affected",
"version": "3.0.0"
},
{
"status": "affected",
"version": "3.0.1"
}
]
}
],
"credits": [
{
"lang": "en",
"type": "reporter",
"value": "Superman_04 (VulDB User)"
},
{
"lang": "en",
"type": "coordinator",
"value": "VulDB CNA Team"
}
],
"descriptions": [
{
"lang": "en",
"value": "A vulnerability has been found in mettle sendportal up to 3.0.1. This issue affects the function sendgrid/postmark/postal/mailjet of the component APIv1 Webhooks. The manipulation leads to missing authentication. The attack is possible to be carried out remotely. The exploit has been disclosed to the public and may be used. The project was informed of the problem early through an issue report but has not responded yet."
}
],
"metrics": [
{
"cvssV4_0": {
"baseScore": 6.9,
"baseSeverity": "MEDIUM",
"vectorString": "CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:N/VC:N/VI:L/VA:L/SC:N/SI:N/SA:N/E:P",
"version": "4.0"
}
},
{
"cvssV3_1": {
"baseScore": 6.5,
"baseSeverity": "MEDIUM",
"vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:L/A:L/E:P/RL:X/RC:R",
"version": "3.1"
}
},
{
"cvssV3_0": {
"baseScore": 6.5,
"baseSeverity": "MEDIUM",
"vectorString": "CVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:L/A:L/E:P/RL:X/RC:R",
"version": "3.0"
}
},
{
"cvssV2_0": {
"baseScore": 6.4,
"vectorString": "AV:N/AC:L/Au:N/C:N/I:P/A:P/E:POC/RL:ND/RC:UR",
"version": "2.0"
}
}
],
"problemTypes": [
{
"descriptions": [
{
"cweId": "CWE-306",
"description": "Missing Authentication",
"lang": "en",
"type": "CWE"
}
]
},
{
"descriptions": [
{
"cweId": "CWE-287",
"description": "Improper Authentication",
"lang": "en",
"type": "CWE"
}
]
}
],
"providerMetadata": {
"dateUpdated": "2026-07-09T16:30:09.358Z",
"orgId": "1af790b2-7ee1-4545-860a-a788eba489b5",
"shortName": "VulDB"
},
"references": [
{
"name": "VDB-377118 | mettle sendportal APIv1 Webhooks mailjet missing authentication",
"tags": [
"vdb-entry",
"technical-description"
],
"url": "https://vuldb.com/vuln/377118"
},
{
"name": "VDB-377118 | CTI Indicators (IOB, IOC, IOA)",
"tags": [
"signature",
"permissions-required"
],
"url": "https://vuldb.com/vuln/377118/cti"
},
{
"name": "CVE-2026-15192 | CVE Analysis and Report",
"tags": [
"third-party-advisory"
],
"url": "https://vuldb.com/cve/CVE-2026-15192"
},
{
"name": "Submit #851624 | Mettle sendportal Latest Improper Authentication",
"tags": [
"third-party-advisory"
],
"url": "https://vuldb.com/submit/851624"
},
{
"tags": [
"exploit",
"issue-tracking"
],
"url": "https://github.com/mettle/sendportal/issues/340"
},
{
"tags": [
"product"
],
"url": "https://github.com/mettle/sendportal/"
}
],
"timeline": [
{
"lang": "en",
"time": "2026-07-09T00:00:00.000Z",
"value": "Advisory disclosed"
},
{
"lang": "en",
"time": "2026-07-09T02:00:00.000Z",
"value": "VulDB entry created"
},
{
"lang": "en",
"time": "2026-07-09T07:41:22.000Z",
"value": "VulDB entry last update"
}
],
"title": "mettle sendportal APIv1 Webhooks mailjet missing authentication"
}
},
"cveMetadata": {
"assignerOrgId": "1af790b2-7ee1-4545-860a-a788eba489b5",
"assignerShortName": "VulDB",
"cveId": "CVE-2026-15192",
"datePublished": "2026-07-09T16:30:09.358Z",
"dateReserved": "2026-07-09T05:36:19.016Z",
"dateUpdated": "2026-07-09T18:08:24.940Z",
"state": "PUBLISHED"
},
"dataType": "CVE_RECORD",
"dataVersion": "5.2"
}
CVE-2026-15191 (GCVE-0-2026-15191)
Vulnerability from cvelistv5 – Published: 2026-07-09 16:00 – Updated: 2026-07-14 00:59
VLAI
EPSS
VEX
Title
mettle sendportal Campaign Creation Endpoint CampaignStoreRequest.php authorization
Summary
A flaw has been found in mettle sendportal up to 3.0.1. This vulnerability affects unknown code of the file vendor/mettle/sendportal-core/src/Http/Requests/CampaignStoreRequest.php of the component Campaign Creation Endpoint. Executing a manipulation can lead to authorization bypass. The attack can be executed remotely. The exploit has been published and may be used. The project was informed of the problem early through an issue report but has not responded yet.
Severity
SSVC
Exploitation: poc
Automatable: no
Technical Impact: partial
CISA Coordinator (v2.0.3)
Assigner
References
6 references
| URL | Tags |
|---|---|
| https://vuldb.com/vuln/377117 | vdb-entry |
| https://vuldb.com/vuln/377117/cti | signaturepermissions-required |
| https://vuldb.com/cve/CVE-2026-15191 | third-party-advisory |
| https://vuldb.com/submit/851622 | third-party-advisory |
| https://github.com/mettle/sendportal/issues/339 | exploitissue-tracking |
| https://github.com/mettle/sendportal/ | product |
Impacted products
1 product
| Vendor | Product | Version | |
|---|---|---|---|
| mettle | sendportal |
Affected:
3.0.0
Affected: 3.0.1 cpe:2.3:a:mettle:sendportal:*:*:*:*:*:*:*:* |
Credits
{
"containers": {
"adp": [
{
"metrics": [
{
"other": {
"content": {
"id": "CVE-2026-15191",
"options": [
{
"Exploitation": "poc"
},
{
"Automatable": "no"
},
{
"Technical Impact": "partial"
}
],
"role": "CISA Coordinator",
"timestamp": "2026-07-14T00:59:05.928272Z",
"version": "2.0.3"
},
"type": "ssvc"
}
}
],
"providerMetadata": {
"dateUpdated": "2026-07-14T00:59:15.934Z",
"orgId": "134c704f-9b21-4f2e-91b3-4a467353bcc0",
"shortName": "CISA-ADP"
},
"title": "CISA ADP Vulnrichment"
}
],
"cna": {
"affected": [
{
"cpes": [
"cpe:2.3:a:mettle:sendportal:*:*:*:*:*:*:*:*"
],
"modules": [
"Campaign Creation Endpoint"
],
"product": "sendportal",
"vendor": "mettle",
"versions": [
{
"status": "affected",
"version": "3.0.0"
},
{
"status": "affected",
"version": "3.0.1"
}
]
}
],
"credits": [
{
"lang": "en",
"type": "reporter",
"value": "Superman_04 (VulDB User)"
},
{
"lang": "en",
"type": "coordinator",
"value": "VulDB CNA Team"
}
],
"descriptions": [
{
"lang": "en",
"value": "A flaw has been found in mettle sendportal up to 3.0.1. This vulnerability affects unknown code of the file vendor/mettle/sendportal-core/src/Http/Requests/CampaignStoreRequest.php of the component Campaign Creation Endpoint. Executing a manipulation can lead to authorization bypass. The attack can be executed remotely. The exploit has been published and may be used. The project was informed of the problem early through an issue report but has not responded yet."
}
],
"metrics": [
{
"cvssV4_0": {
"baseScore": 5.3,
"baseSeverity": "MEDIUM",
"vectorString": "CVSS:4.0/AV:N/AC:L/AT:N/PR:L/UI:N/VC:L/VI:L/VA:L/SC:N/SI:N/SA:N/E:P",
"version": "4.0"
}
},
{
"cvssV3_1": {
"baseScore": 6.3,
"baseSeverity": "MEDIUM",
"vectorString": "CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:L/I:L/A:L/E:P/RL:X/RC:R",
"version": "3.1"
}
},
{
"cvssV3_0": {
"baseScore": 6.3,
"baseSeverity": "MEDIUM",
"vectorString": "CVSS:3.0/AV:N/AC:L/PR:L/UI:N/S:U/C:L/I:L/A:L/E:P/RL:X/RC:R",
"version": "3.0"
}
},
{
"cvssV2_0": {
"baseScore": 6.5,
"vectorString": "AV:N/AC:L/Au:S/C:P/I:P/A:P/E:POC/RL:ND/RC:UR",
"version": "2.0"
}
}
],
"problemTypes": [
{
"descriptions": [
{
"cweId": "CWE-639",
"description": "Authorization Bypass",
"lang": "en",
"type": "CWE"
}
]
},
{
"descriptions": [
{
"cweId": "CWE-285",
"description": "Improper Authorization",
"lang": "en",
"type": "CWE"
}
]
}
],
"providerMetadata": {
"dateUpdated": "2026-07-09T16:00:08.591Z",
"orgId": "1af790b2-7ee1-4545-860a-a788eba489b5",
"shortName": "VulDB"
},
"references": [
{
"name": "VDB-377117 | mettle sendportal Campaign Creation Endpoint CampaignStoreRequest.php authorization",
"tags": [
"vdb-entry"
],
"url": "https://vuldb.com/vuln/377117"
},
{
"name": "VDB-377117 | CTI Indicators (IOB, IOC, IOA)",
"tags": [
"signature",
"permissions-required"
],
"url": "https://vuldb.com/vuln/377117/cti"
},
{
"name": "CVE-2026-15191 | CVE Analysis and Report",
"tags": [
"third-party-advisory"
],
"url": "https://vuldb.com/cve/CVE-2026-15191"
},
{
"name": "Submit #851622 | Mettle SendPortal Latest Authorization Bypass",
"tags": [
"third-party-advisory"
],
"url": "https://vuldb.com/submit/851622"
},
{
"tags": [
"exploit",
"issue-tracking"
],
"url": "https://github.com/mettle/sendportal/issues/339"
},
{
"tags": [
"product"
],
"url": "https://github.com/mettle/sendportal/"
}
],
"timeline": [
{
"lang": "en",
"time": "2026-07-09T00:00:00.000Z",
"value": "Advisory disclosed"
},
{
"lang": "en",
"time": "2026-07-09T02:00:00.000Z",
"value": "VulDB entry created"
},
{
"lang": "en",
"time": "2026-07-09T07:39:18.000Z",
"value": "VulDB entry last update"
}
],
"title": "mettle sendportal Campaign Creation Endpoint CampaignStoreRequest.php authorization"
}
},
"cveMetadata": {
"assignerOrgId": "1af790b2-7ee1-4545-860a-a788eba489b5",
"assignerShortName": "VulDB",
"cveId": "CVE-2026-15191",
"datePublished": "2026-07-09T16:00:08.591Z",
"dateReserved": "2026-07-09T05:33:07.527Z",
"dateUpdated": "2026-07-14T00:59:15.934Z",
"state": "PUBLISHED"
},
"dataType": "CVE_RECORD",
"dataVersion": "5.2"
}
CVE-2026-10234 (GCVE-0-2026-10234)
Vulnerability from cvelistv5 – Published: 2026-06-01 07:00 – Updated: 2026-06-02 13:44
VLAI
EPSS
VEX
Title
Mettle sendportal Campaign webview cross site scripting
Summary
A vulnerability was detected in Mettle sendportal up to 3.0.1. This affects an unknown part of the file /webview/ of the component Campaign Handler. The manipulation of the argument content results in cross site scripting. The attack can be launched remotely. The exploit is now public and may be used. The project was informed of the problem early through an issue report but has not responded yet.
Severity
SSVC
Exploitation: poc
Automatable: no
Technical Impact: partial
CISA Coordinator (v2.0.3)
Assigner
References
7 references
| URL | Tags |
|---|---|
| https://vuldb.com/vuln/367513 | vdb-entrytechnical-description |
| https://vuldb.com/vuln/367513/cti | signaturepermissions-required |
| https://vuldb.com/cve/CVE-2026-10234 | third-party-advisory |
| https://vuldb.com/submit/822923 | third-party-advisory |
| https://vuldb.com/submit/825494 | third-party-advisory |
| https://github.com/mettle/sendportal/issues/338 | exploitissue-tracking |
| https://github.com/mettle/sendportal/ | product |
Impacted products
1 product
| Vendor | Product | Version | |
|---|---|---|---|
| Mettle | sendportal |
Affected:
3.0.0
Affected: 3.0.1 cpe:2.3:a:mettle:sendportal:*:*:*:*:*:*:*:* |
Credits
{
"containers": {
"adp": [
{
"metrics": [
{
"other": {
"content": {
"id": "CVE-2026-10234",
"options": [
{
"Exploitation": "poc"
},
{
"Automatable": "no"
},
{
"Technical Impact": "partial"
}
],
"role": "CISA Coordinator",
"timestamp": "2026-06-01T13:25:43.249131Z",
"version": "2.0.3"
},
"type": "ssvc"
}
}
],
"providerMetadata": {
"dateUpdated": "2026-06-01T13:25:52.722Z",
"orgId": "134c704f-9b21-4f2e-91b3-4a467353bcc0",
"shortName": "CISA-ADP"
},
"title": "CISA ADP Vulnrichment"
}
],
"cna": {
"affected": [
{
"cpes": [
"cpe:2.3:a:mettle:sendportal:*:*:*:*:*:*:*:*"
],
"modules": [
"Campaign Handler"
],
"product": "sendportal",
"vendor": "Mettle",
"versions": [
{
"status": "affected",
"version": "3.0.0"
},
{
"status": "affected",
"version": "3.0.1"
}
]
}
],
"credits": [
{
"lang": "en",
"type": "finder",
"value": "Kabilan D"
},
{
"lang": "en",
"type": "reporter",
"value": "B1scuit (VulDB User)"
},
{
"lang": "en",
"type": "analyst",
"value": "Superman_04 (VulDB User)"
},
{
"lang": "en",
"type": "coordinator",
"value": "VulDB CNA Team"
}
],
"descriptions": [
{
"lang": "en",
"value": "A vulnerability was detected in Mettle sendportal up to 3.0.1. This affects an unknown part of the file /webview/ of the component Campaign Handler. The manipulation of the argument content results in cross site scripting. The attack can be launched remotely. The exploit is now public and may be used. The project was informed of the problem early through an issue report but has not responded yet."
}
],
"metrics": [
{
"cvssV4_0": {
"baseScore": 5.1,
"baseSeverity": "MEDIUM",
"vectorString": "CVSS:4.0/AV:N/AC:L/AT:N/PR:L/UI:P/VC:N/VI:L/VA:N/SC:N/SI:N/SA:N/E:P",
"version": "4.0"
}
},
{
"cvssV3_1": {
"baseScore": 3.5,
"baseSeverity": "LOW",
"vectorString": "CVSS:3.1/AV:N/AC:L/PR:L/UI:R/S:U/C:N/I:L/A:N/E:P/RL:X/RC:R",
"version": "3.1"
}
},
{
"cvssV3_0": {
"baseScore": 3.5,
"baseSeverity": "LOW",
"vectorString": "CVSS:3.0/AV:N/AC:L/PR:L/UI:R/S:U/C:N/I:L/A:N/E:P/RL:X/RC:R",
"version": "3.0"
}
},
{
"cvssV2_0": {
"baseScore": 4,
"vectorString": "AV:N/AC:L/Au:S/C:N/I:P/A:N/E:POC/RL:ND/RC:UR",
"version": "2.0"
}
}
],
"problemTypes": [
{
"descriptions": [
{
"cweId": "CWE-79",
"description": "Cross Site Scripting",
"lang": "en",
"type": "CWE"
}
]
},
{
"descriptions": [
{
"cweId": "CWE-94",
"description": "Code Injection",
"lang": "en",
"type": "CWE"
}
]
}
],
"providerMetadata": {
"dateUpdated": "2026-06-02T13:44:11.395Z",
"orgId": "1af790b2-7ee1-4545-860a-a788eba489b5",
"shortName": "VulDB"
},
"references": [
{
"name": "VDB-367513 | Mettle sendportal Campaign webview cross site scripting",
"tags": [
"vdb-entry",
"technical-description"
],
"url": "https://vuldb.com/vuln/367513"
},
{
"name": "VDB-367513 | CTI Indicators (IOB, IOC, TTP, IOA)",
"tags": [
"signature",
"permissions-required"
],
"url": "https://vuldb.com/vuln/367513/cti"
},
{
"name": "CVE-2026-10234 | CVE Analysis and Report",
"tags": [
"third-party-advisory"
],
"url": "https://vuldb.com/cve/CVE-2026-10234"
},
{
"name": "Submit #822923 | Mettle sendportal v3.0.1 Cross Site Scripting",
"tags": [
"third-party-advisory"
],
"url": "https://vuldb.com/submit/822923"
},
{
"name": "Submit #825494 | mettle sendportal 3.0.1 Cross Site Scripting (Duplicate)",
"tags": [
"third-party-advisory"
],
"url": "https://vuldb.com/submit/825494"
},
{
"tags": [
"exploit",
"issue-tracking"
],
"url": "https://github.com/mettle/sendportal/issues/338"
},
{
"tags": [
"product"
],
"url": "https://github.com/mettle/sendportal/"
}
],
"timeline": [
{
"lang": "en",
"time": "2026-05-02T00:00:00.000Z",
"value": "Advisory disclosed"
},
{
"lang": "en",
"time": "2026-05-31T02:00:00.000Z",
"value": "VulDB entry created"
},
{
"lang": "en",
"time": "2026-06-02T15:46:07.000Z",
"value": "VulDB entry last update"
}
],
"title": "Mettle sendportal Campaign webview cross site scripting"
}
},
"cveMetadata": {
"assignerOrgId": "1af790b2-7ee1-4545-860a-a788eba489b5",
"assignerShortName": "VulDB",
"cveId": "CVE-2026-10234",
"datePublished": "2026-06-01T07:00:11.419Z",
"dateReserved": "2026-05-31T08:14:20.891Z",
"dateUpdated": "2026-06-02T13:44:11.395Z",
"state": "PUBLISHED"
},
"dataType": "CVE_RECORD",
"dataVersion": "5.2"
}
CVE-2026-7145 (GCVE-0-2026-7145)
Vulnerability from cvelistv5 – Published: 2026-04-27 17:45 – Updated: 2026-04-29 13:57
VLAI
EPSS
VEX
Title
mettle sendportal Invitation WorkspaceInvitationsController.php destroy authorization
Summary
A weakness has been identified in mettle sendportal up to 3.0.1. Affected is the function destroy of the file app/Http/Controllers/Workspaces/WorkspaceInvitationsController.php of the component Invitation Handler. This manipulation of the argument invitation causes authorization bypass. The attack may be initiated remotely. The project was informed of the problem early through an issue report but has not responded yet.
Severity
SSVC
Exploitation: none
Automatable: no
Technical Impact: partial
CISA Coordinator (v2.0.3)
Assigner
References
5 references
| URL | Tags |
|---|---|
| https://vuldb.com/vuln/359744 | vdb-entrytechnical-description |
| https://vuldb.com/vuln/359744/cti | signaturepermissions-required |
| https://vuldb.com/submit/801781 | third-party-advisory |
| https://github.com/mettle/sendportal/issues/337 | issue-tracking |
| https://github.com/mettle/sendportal/ | product |
Impacted products
1 product
| Vendor | Product | Version | |
|---|---|---|---|
| mettle | sendportal |
Affected:
3.0.0
Affected: 3.0.1 |
Credits
{
"containers": {
"adp": [
{
"metrics": [
{
"other": {
"content": {
"id": "CVE-2026-7145",
"options": [
{
"Exploitation": "none"
},
{
"Automatable": "no"
},
{
"Technical Impact": "partial"
}
],
"role": "CISA Coordinator",
"timestamp": "2026-04-29T13:57:45.953213Z",
"version": "2.0.3"
},
"type": "ssvc"
}
}
],
"providerMetadata": {
"dateUpdated": "2026-04-29T13:57:58.377Z",
"orgId": "134c704f-9b21-4f2e-91b3-4a467353bcc0",
"shortName": "CISA-ADP"
},
"title": "CISA ADP Vulnrichment"
}
],
"cna": {
"affected": [
{
"modules": [
"Invitation Handler"
],
"product": "sendportal",
"vendor": "mettle",
"versions": [
{
"status": "affected",
"version": "3.0.0"
},
{
"status": "affected",
"version": "3.0.1"
}
]
}
],
"credits": [
{
"lang": "en",
"type": "reporter",
"value": "B1scuit (VulDB User)"
},
{
"lang": "en",
"type": "coordinator",
"value": "VulDB CNA Team"
}
],
"descriptions": [
{
"lang": "en",
"value": "A weakness has been identified in mettle sendportal up to 3.0.1. Affected is the function destroy of the file app/Http/Controllers/Workspaces/WorkspaceInvitationsController.php of the component Invitation Handler. This manipulation of the argument invitation causes authorization bypass. The attack may be initiated remotely. The project was informed of the problem early through an issue report but has not responded yet."
}
],
"metrics": [
{
"cvssV4_0": {
"baseScore": 5.3,
"baseSeverity": "MEDIUM",
"vectorString": "CVSS:4.0/AV:N/AC:L/AT:N/PR:L/UI:N/VC:N/VI:L/VA:L/SC:N/SI:N/SA:N/E:X",
"version": "4.0"
}
},
{
"cvssV3_1": {
"baseScore": 5.4,
"baseSeverity": "MEDIUM",
"vectorString": "CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:N/I:L/A:L/E:X/RL:X/RC:R",
"version": "3.1"
}
},
{
"cvssV3_0": {
"baseScore": 5.4,
"baseSeverity": "MEDIUM",
"vectorString": "CVSS:3.0/AV:N/AC:L/PR:L/UI:N/S:U/C:N/I:L/A:L/E:X/RL:X/RC:R",
"version": "3.0"
}
},
{
"cvssV2_0": {
"baseScore": 5.5,
"vectorString": "AV:N/AC:L/Au:S/C:N/I:P/A:P/E:ND/RL:ND/RC:UR",
"version": "2.0"
}
}
],
"problemTypes": [
{
"descriptions": [
{
"cweId": "CWE-639",
"description": "Authorization Bypass",
"lang": "en",
"type": "CWE"
}
]
},
{
"descriptions": [
{
"cweId": "CWE-285",
"description": "Improper Authorization",
"lang": "en",
"type": "CWE"
}
]
}
],
"providerMetadata": {
"dateUpdated": "2026-04-27T17:45:13.740Z",
"orgId": "1af790b2-7ee1-4545-860a-a788eba489b5",
"shortName": "VulDB"
},
"references": [
{
"name": "VDB-359744 | mettle sendportal Invitation WorkspaceInvitationsController.php destroy authorization",
"tags": [
"vdb-entry",
"technical-description"
],
"url": "https://vuldb.com/vuln/359744"
},
{
"name": "VDB-359744 | CTI Indicators (IOB, IOC, IOA)",
"tags": [
"signature",
"permissions-required"
],
"url": "https://vuldb.com/vuln/359744/cti"
},
{
"name": "Submit #801781 | mettle sendportal v3.0.1 Insecure direct object reference",
"tags": [
"third-party-advisory"
],
"url": "https://vuldb.com/submit/801781"
},
{
"tags": [
"issue-tracking"
],
"url": "https://github.com/mettle/sendportal/issues/337"
},
{
"tags": [
"product"
],
"url": "https://github.com/mettle/sendportal/"
}
],
"timeline": [
{
"lang": "en",
"time": "2026-04-26T00:00:00.000Z",
"value": "Advisory disclosed"
},
{
"lang": "en",
"time": "2026-04-26T02:00:00.000Z",
"value": "VulDB entry created"
},
{
"lang": "en",
"time": "2026-04-26T21:58:38.000Z",
"value": "VulDB entry last update"
}
],
"title": "mettle sendportal Invitation WorkspaceInvitationsController.php destroy authorization"
}
},
"cveMetadata": {
"assignerOrgId": "1af790b2-7ee1-4545-860a-a788eba489b5",
"assignerShortName": "VulDB",
"cveId": "CVE-2026-7145",
"datePublished": "2026-04-27T17:45:13.740Z",
"dateReserved": "2026-04-26T19:53:34.428Z",
"dateUpdated": "2026-04-29T13:57:58.377Z",
"state": "PUBLISHED"
},
"dataType": "CVE_RECORD",
"dataVersion": "5.2"
}