CVE-2026-35390
MEDIUMContent-Security-Policy was set to Report-Only mode, failing to block XSS attacks
Title source: cnaDescription
Bulwark Webmail is a self-hosted webmail client for Stalwart Mail Server. Prior to 1.4.11, the reverse proxy (proxy.ts) set the Content-Security-Policy-Report-Only header instead of the enforcing Content-Security-Policy header. This means cross-site scripting (XSS) attacks were logged but not blocked. Any user who could inject script content (e.g., via crafted email HTML) could execute arbitrary JavaScript in the context of the application, potentially stealing session tokens or performing actions on behalf of the user. This vulnerability is fixed in 1.4.11.
References (1)
Core 1
Core References
X_Refsource_Confirm x_refsource_confirm
https://github.com/bulwarkmail/webmail/security/advisories/GHSA-6q52-98cr-qx65
Scores
CVSS v3
5.4
EPSS
0.0017
EPSS Percentile
6.2%
Attack Vector
NETWORK
CVSS:3.1/AV:N/AC:L/PR:L/UI:R/S:C/C:L/I:L/A:N
CISA SSVC
Vulnrichment
Exploitation
none
Automatable
no
Technical Impact
partial
Details
CWE
CWE-79
Status
published
Products (1)
bulwarkmail/webmail
< 1.4.11 (2 CPE variants)
Published
Apr 06, 2026
Tracked Since
Apr 07, 2026