Cross-Site Scripting Vulnerability in Bulwark Webmail from Stalwart Mail Server
CVE-2026-35390

5.3MEDIUM

Key Information:

Vendor: Bulwarkmail
Status: Webmail
Vendor: CVE Published:; 6 April 2026

🔔 Create Bulwarkmail Vulnerability Alert

What is CVE-2026-35390?

Bulwark Webmail, a self-hosted webmail client for Stalwart Mail Server, had a significant vulnerability prior to version 1.4.11. The reverse proxy configuration improperly set the Content-Security-Policy-Report-Only header instead of the critical enforcing Content-Security-Policy header. As a result, while cross-site scripting attacks were logged, they were not blocked. This flaw enabled attackers to inject malicious script content, often through crafted email HTML, allowing for the execution of arbitrary JavaScript in the application's context. Consequently, attackers could potentially steal session tokens or execute actions as if they were the user.

Affected Version(s)

webmail < 1.4.11

References

https://github.com/bulwarkmail/webmail/security/advisorie...

x_refsource_CONFIRM

CVSS V4

Score:

5.3

Severity:

MEDIUM

Confidentiality:

None

Integrity:

None

Availability:

None

Attack Vector:

Network

Attack Complexity:

Low

Attack Required:

None

Privileges Required:

Undefined

User Interaction:

Unknown

Download the Critical Vulnerability Management Cheat Sheet

Timeline

Vulnerability published
Apr 6, 2026
Vulnerability Reserved
Apr 2, 2026

CVE-2026-35390 Data

JSON