Medium severity5.4NVD Advisory· Published Apr 6, 2026· Updated Apr 9, 2026

CVE-2026-35390

Description

Bulwark Webmail is a self-hosted webmail client for Stalwart Mail Server. Prior to 1.4.11, the reverse proxy (proxy.ts) set the Content-Security-Policy-Report-Only header instead of the enforcing Content-Security-Policy header. This means cross-site scripting (XSS) attacks were logged but not blocked. Any user who could inject script content (e.g., via crafted email HTML) could execute arbitrary JavaScript in the context of the application, potentially stealing session tokens or performing actions on behalf of the user. This vulnerability is fixed in 1.4.11.

Affected products

Bulwarkmail/Webmail
cpe:2.3:a:bulwarkmail:webmail:*:*:*:*:*:*:*:*
Range: <1.4.11

Patches

No patches discovered yet.

Vulnerability mechanics

AI mechanics synthesis has not run for this CVE yet.

References

github.com/bulwarkmail/webmail/security/advisories/GHSA-6q52-98cr-qx65nvdVendor Advisory

News mentions

Why Malwarebytes blocks some Yahoo Mail redirects
Malwarebytes Labs · May 14, 2026
Critrical cPanel flaw mass-exploited in "Sorry" ransomware attacks
BleepingComputer · May 2, 2026
Recovery scammers hit you when you’re down: Here’s how to avoid a second strike
ESET WeLiveSecurity · Apr 10, 2026

cvss	0.351
epss	0.000
exploit	0.000
kev	0.000
patch	0.000
ransomware	0.000