VYPR

Webmail

by Bulwarkmail

Source repositories

CVEs (5)

  • CVE-2026-35391HigApr 6, 2026
    risk 0.42cvss 7.5epss 0.00

    Bulwark Webmail is a self-hosted webmail client for Stalwart Mail Server. Prior to 1.4.11, the getClientIP() function in lib/admin/session.ts trusted the first (leftmost) entry of the X-Forwarded-For header, which is fully controlled by the client. An attacker could forge their…

  • CVE-2026-35389HigApr 6, 2026
    risk 0.42cvss 7.5epss 0.00

    Bulwark Webmail is a self-hosted webmail client for Stalwart Mail Server. Prior to 1.4.11, S/MIME signature verification did not validate the certificate trust chain (checkChain: false). Any email signed with a self-signed or untrusted certificate was displayed as having a valid…

  • CVE-2026-34834HigApr 2, 2026
    risk 0.42cvss 7.5epss 0.00

    Bulwark Webmail is a self-hosted webmail client for Stalwart Mail Server. Prior to version 1.4.10, the verifyIdentity() function contained logic that returned true if no session cookies were present. This allowed unauthenticated attackers to bypass security checks and…

  • CVE-2026-34833HigApr 2, 2026
    risk 0.42cvss 7.5epss 0.00

    Bulwark Webmail is a self-hosted webmail client for Stalwart Mail Server. Prior to version 1.4.10, the GET /api/auth/session endpoint previously included the user's plaintext password in the JSON response. This exposed credentials to browser logs, local caches, and network…

  • CVE-2026-35390MedApr 6, 2026
    risk 0.28cvss 5.4epss 0.00

    Bulwark Webmail is a self-hosted webmail client for Stalwart Mail Server. Prior to 1.4.11, the reverse proxy (proxy.ts) set the Content-Security-Policy-Report-Only header instead of the enforcing Content-Security-Policy header. This means cross-site scripting (XSS) attacks were…