Bulwark Webmail, a self‑hosted client for Stalwart Mail Server, incorrectly emitted the Content‑Security‑Policy header in Report‑Only mode before version 1.4.11. This configuration let all script payloads in e‑mail HTML pass through the browser unblocked, allowing an attacker who can trick a user into opening a crafted email to run arbitrary JavaScript in that user’s browser session. In effect, the vulnerability provides a client‑side cross‑site scripting (XSS) vector that can steal session tokens, fabricate requests, or otherwise act as the victim. The weakness is a classic injection flaw that falls under CWE‑79.

Any installation of the Bulwarkmail Webmail platform running a kernel version older than 1.4.11 is vulnerable. The problem originates in the reverse‑proxy module, proxy.ts, and it applies to the entire webmail application irrespective of the mail server configuration.

The CVSS score of 5.3 indicates a moderate severity for the impact on confidentiality and integrity of user sessions. Because the exploit requires only the delivery of a malicious e‑mail to a target user or the insertion of script into an e‑mail that the user will view, it can be executed remotely via the Webmail interface without additional privileges. EPSS data is not available, and the vulnerability is not listed in CISA’s KEV catalog, suggesting no confirmed exploitation in the wild yet, but the client‑side nature of the flaw means any user could be affected. Administrators should treat this as a risk that can be mitigated immediately through the vendor’s patch.