Severity by source
CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:N/VC:N/VI:L/VA:L/SC:N/SI:N/SA:N/E:P/CR:X/IR:X/AR:X/MAV:X/MAC:X/MAT:X/MPR:X/MUI:X/MVC:X/MVI:X/MVA:X/MSC:X/MSI:X/MSA:X/S:X/AU:X/R:X/V:X/RE:X/U:X
Network-reachable endpoint with no credentials required; impact limited to integrity and availability of email records, no confidentiality loss.
Primary rating from Vendor (vuldb).
CVSS VectorVendor: vuldb
CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:N/VC:N/VI:L/VA:L/SC:N/SI:N/SA:N/E:P/CR:X/IR:X/AR:X/MAV:X/MAC:X/MAT:X/MPR:X/MUI:X/MVC:X/MVI:X/MVA:X/MSC:X/MSI:X/MSA:X/S:X/AU:X/R:X/V:X/RE:X/U:X
Lifecycle Timeline
1DescriptionCVE.org
A vulnerability has been found in mettle sendportal up to 3.0.1. This issue affects the function sendgrid/postmark/postal/mailjet of the component APIv1 Webhooks. The manipulation leads to missing authentication. The attack is possible to be carried out remotely. The exploit has been disclosed to the public and may be used. The project was informed of the problem early through an issue report but has not responded yet.
AnalysisAI
Missing authentication on APIv1 webhook endpoints in sendportal up to 3.0.1 permits remote unauthenticated actors to invoke webhook handlers for SendGrid, Postmark, Postal, and Mailjet without any credential verification. The flaw enables integrity and availability manipulation of email processing pipelines from any network location. …
Unlock full vulnerability intelligence
- Risk assessment & exploitation conditions
- Attack chain visualization
- Remediation with exact patch versions
- Threat intelligence from 22 sources
- Personal watchlist & email alerts
Free forever · No credit card required
Attack ChainAIDerived
Hypothetical attack flow derived from CVE metadata
Vulnerability AssessmentAI
| Exploitation | Exploitation requires the sendportal APIv1 webhook endpoint for at least one of SendGrid, Postmark, Postal, or Mailjet to be network-accessible from the attacker - typically true in any default internet-facing deployment. … Additional conditions and limiting factors are described in the full assessment. |
| Risk Assessment | The CVSS 4.0 vector (AV:N/AC:L/AT:N/PR:N/UI:N) confirms trivial remote exploitation with no prerequisites - any network-reachable instance is exposed. … Full risk analysis with EPSS, KEV, and SSVC signal comparison available after sign-in. |
| Exploit Scenario | An attacker discovers a sendportal instance with APIv1 webhook endpoints exposed on the public internet. Using publicly available exploit code referenced in VulDB submission 851624, they send a crafted unauthenticated POST request to the Mailjet webhook endpoint, injecting a fake unsubscribe or bounce event for targeted recipient addresses. … |
| Remediation | No vendor-released patch has been identified at time of analysis - the maintainer has not responded to the disclosure per issue #340 at https://github.com/mettle/sendportal/issues/340. … Detailed patch versions, workarounds, and compensating controls in full report. |
Threat intelligence, references, and detailed analysis are available after sign-in.
Same weakness CWE-287 – Improper Authentication
View allSame technique Authentication Bypass
View allShare
External POC / Exploit Code
Leaving vuln.today
EUVD-2026-42624
GHSA-qcqf-phv4-c959