CVE-2026-35390

CVSS Score & Metrics

Base Score

6.1 / 10

Vector String

                                        CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:C/C:L/I:L/A:N                                    

Vulnerability Description

Bulwark Webmail is a self-hosted webmail client for Stalwart Mail Server. Prior to 1.4.11, the reverse proxy (proxy.ts) set the Content-Security-Policy-Report-Only header instead of the enforcing Content-Security-Policy header. This means cross-site scripting (XSS) attacks were logged but not blocked. Any user who could inject script content (e.g., via crafted email HTML) could execute arbitrary JavaScript in the context of the application, potentially stealing session tokens or performing actions on behalf of the user. This vulnerability is fixed in 1.4.11.

Vulnerability Details

Published Date

April 06, 2026

Last Modified

April 09, 2026

CWE ID

CWE-79

Source

NVD

Vendor

bulwarkmail

Product

webmail

External References

https://github.com/bulwarkmail/webmail/security/advisories/GHSA-6q52-98cr-qx65

CVSS Score & Metrics

Vulnerability Description

Vulnerability Details

External References

Discussion (0)

Add Comment