CVE-2026-35390
Received Received - Intake
Cross-Site Scripting in Bulwark Webmail Proxy Allows Session Theft

Publication date: 2026-04-06

Last updated on: 2026-04-09

Assigner: GitHub, Inc.

Description
Bulwark Webmail is a self-hosted webmail client for Stalwart Mail Server. Prior to 1.4.11, the reverse proxy (proxy.ts) set the Content-Security-Policy-Report-Only header instead of the enforcing Content-Security-Policy header. This means cross-site scripting (XSS) attacks were logged but not blocked. Any user who could inject script content (e.g., via crafted email HTML) could execute arbitrary JavaScript in the context of the application, potentially stealing session tokens or performing actions on behalf of the user. This vulnerability is fixed in 1.4.11.
CVSS Scores
EPSS Scores
Probability:
Percentile:
Meta Information
Published
2026-04-06
Last Modified
2026-04-09
Generated
2026-06-16
AI Q&A
2026-04-07
EPSS Evaluated
2026-06-15
NVD
CVE-2026-35390
EUVD
EUVD-2026-19479
Affected Vendors & Products
Showing 1 associated CPE
Vendor Product Version / Range
bulwarkmail webmail to 1.4.11 (exc)
Helpful Resources
Exploitability
CWE
CWE Icon
KEV
KEV Icon
CWE ID Description
CWE-79 The product does not neutralize or incorrectly neutralizes user-controllable input before it is placed in output that is used as a web page that is served to other users.
Attack-Flow Graph
AI Quick Actions
Instant insights powered by AI
Executive Summary

The vulnerability in Bulwark Webmail occurs because the reverse proxy was setting the Content-Security-Policy-Report-Only header instead of the enforcing Content-Security-Policy header prior to version 1.4.11.

This means that cross-site scripting (XSS) attacks were only logged but not blocked, allowing an attacker who can inject script content (for example, through crafted email HTML) to execute arbitrary JavaScript within the application.

Such execution could lead to stealing session tokens or performing actions on behalf of the user.

The issue was fixed in version 1.4.11 by properly enforcing the Content-Security-Policy header.

Compliance Impact

This vulnerability allows cross-site scripting (XSS) attacks that could lead to the execution of arbitrary JavaScript in the context of the application. Such attacks may result in the theft of session tokens or unauthorized actions on behalf of users.

Because of this, the vulnerability could potentially impact compliance with standards and regulations like GDPR and HIPAA, which require protection of user data and prevention of unauthorized access or data breaches.

However, the provided information does not explicitly state the direct impact on compliance with these regulations.

Impact Analysis

This vulnerability can allow attackers to execute arbitrary JavaScript in the context of the Bulwark Webmail application.

As a result, attackers could steal session tokens, which might enable them to hijack user sessions.

Additionally, attackers could perform unauthorized actions on behalf of the user, potentially compromising the security and integrity of the user's email account and data.

Mitigation Strategies

The vulnerability is fixed in Bulwark Webmail version 1.4.11. To mitigate this vulnerability, you should upgrade your Bulwark Webmail installation to version 1.4.11 or later.

This update changes the reverse proxy to set the enforcing Content-Security-Policy header instead of the Content-Security-Policy-Report-Only header, which blocks cross-site scripting (XSS) attacks rather than just logging them.

Chat Assistant
Ask questions about this CVE
Hi! I’m here to help you understand CVE-2026-35390. Ask me anything about the vulnerability, its impact, or mitigation strategies.
0/70
EPSS Chart