Medium severity5.4NVD Advisory· Published Apr 6, 2026· Updated Apr 9, 2026
CVE-2026-35390
CVE-2026-35390
Description
Bulwark Webmail is a self-hosted webmail client for Stalwart Mail Server. Prior to 1.4.11, the reverse proxy (proxy.ts) set the Content-Security-Policy-Report-Only header instead of the enforcing Content-Security-Policy header. This means cross-site scripting (XSS) attacks were logged but not blocked. Any user who could inject script content (e.g., via crafted email HTML) could execute arbitrary JavaScript in the context of the application, potentially stealing session tokens or performing actions on behalf of the user. This vulnerability is fixed in 1.4.11.
AI Insight
LLM-synthesized narrative grounded in this CVE's description and references.
Affected products
2- Range: <1.4.11
Patches
Vulnerability mechanics
References
1- github.com/bulwarkmail/webmail/security/advisories/GHSA-6q52-98cr-qx65nvdVendor Advisory
News mentions
0No linked articles in our index yet.