CVE-2026-35390
Received Received - Intake

Cross-Site Scripting in Bulwark Webmail Proxy Allows Session Theft

Vulnerability report for CVE-2026-35390, including description, CVSS score, EPSS score, affected products, exploitability, helpful resources, and attack-flow context.

Publication date: 2026-04-06

Last updated on: 2026-04-09

Assigner: GitHub, Inc.

Description

Bulwark Webmail is a self-hosted webmail client for Stalwart Mail Server. Prior to 1.4.11, the reverse proxy (proxy.ts) set the Content-Security-Policy-Report-Only header instead of the enforcing Content-Security-Policy header. This means cross-site scripting (XSS) attacks were logged but not blocked. Any user who could inject script content (e.g., via crafted email HTML) could execute arbitrary JavaScript in the context of the application, potentially stealing session tokens or performing actions on behalf of the user. This vulnerability is fixed in 1.4.11.

CVSS Scores

EPSS Scores

Probability:
Percentile:

Meta Information

Published
2026-04-06
Last Modified
2026-04-09
Generated
2026-07-06
AI Q&A
2026-04-07
EPSS Evaluated
2026-07-05
NVD
EUVD

Affected Vendors & Products

Showing 1 associated CPE
Vendor Product Version / Range
bulwarkmail webmail to 1.4.11 (exc)

Helpful Resources

Exploitability

CWE
CWE Icon
KEV
KEV Icon
CWE ID Description
CWE-79 The product does not neutralize or incorrectly neutralizes user-controllable input before it is placed in output that is used as a web page that is served to other users.

Attack-Flow Graph

AI Quick Actions

Instant insights powered by AI
Executive Summary

The vulnerability in Bulwark Webmail occurs because the reverse proxy was setting the Content-Security-Policy-Report-Only header instead of the enforcing Content-Security-Policy header prior to version 1.4.11.

This means that cross-site scripting (XSS) attacks were only logged but not blocked, allowing an attacker who can inject script content (for example, through crafted email HTML) to execute arbitrary JavaScript within the application.

Such execution could lead to stealing session tokens or performing actions on behalf of the user.

The issue was fixed in version 1.4.11 by properly enforcing the Content-Security-Policy header.

Impact Analysis

This vulnerability can allow attackers to execute arbitrary JavaScript in the context of the Bulwark Webmail application.

As a result, attackers could steal session tokens, which might enable them to hijack user sessions.

Additionally, attackers could perform unauthorized actions on behalf of the user, potentially compromising the security and integrity of the user's email account and data.

Mitigation Strategies

The vulnerability is fixed in Bulwark Webmail version 1.4.11. To mitigate this vulnerability, you should upgrade your Bulwark Webmail installation to version 1.4.11 or later.

This update changes the reverse proxy to set the enforcing Content-Security-Policy header instead of the Content-Security-Policy-Report-Only header, which blocks cross-site scripting (XSS) attacks rather than just logging them.

Compliance Impact

This vulnerability allows cross-site scripting (XSS) attacks that could lead to the execution of arbitrary JavaScript in the context of the application. Such attacks may result in the theft of session tokens or unauthorized actions on behalf of users.

Because of this, the vulnerability could potentially impact compliance with standards and regulations like GDPR and HIPAA, which require protection of user data and prevention of unauthorized access or data breaches.

However, the provided information does not explicitly state the direct impact on compliance with these regulations.

Chat Assistant

Ask questions about this CVE
Hi! I’m here to help you understand CVE-2026-35390. Ask me anything about the vulnerability, its impact, or mitigation strategies.
0/70

EPSS Chart