Description
Bulwark Webmail is a self-hosted webmail client for Stalwart Mail Server. Prior to 1.4.11, the reverse proxy (proxy.ts) set the Content-Security-Policy-Report-Only header instead of the enforcing Content-Security-Policy header. This means cross-site scripting (XSS) attacks were logged but not blocked. Any user who could inject script content (e.g., via crafted email HTML) could execute arbitrary JavaScript in the context of the application, potentially stealing session tokens or performing actions on behalf of the user. This vulnerability is fixed in 1.4.11.
Published: 2026-04-06
Score: 5.3 Medium
EPSS: < 1% Very Low
KEV: No
Impact: Cross‑Site Scripting (XSS) enabling session hijacking
Action: Patch
AI Analysis

Impact

The vulnerable Bulwark Webmail component configured a Content‑Security‑Policy‑Report‑Only header instead of an enforcing Policy. This oversight allowed cross‑site scripting (XSS) payloads supplied through HTML emails to execute unchallenged in the user’s browser. The attacker could run arbitrary JavaScript in the application context, potentially stealing session cookies or performing actions on behalf of the user. This is a classic reflected or stored XSS flaw (CWE‑79).

Affected Systems

The flaw exists in Bulwark Mail’s self‑hosted webmail client for the Stalwart Mail Server. Versions prior to 1.4.11 are affected, including 1.4.10 and earlier. Administrators managing the webmail instance must review installed versions and apply the fix when available.

Risk and Exploitability

The CVSS score is 5.3, indicating moderate severity, while the EPSS score is less than 1%, suggesting a low likelihood of exploitation. The vulnerability is not listed in the CISA KEV catalog. An attacker would need to embed malicious scripts into an email that a user opens or views, so the attack vector is client‑side web interface access. Although the risk is moderate, the potential for session hijacking and unauthorized actions warrants timely remediation.

Generated by OpenCVE AI on April 9, 2026 at 22:57 UTC.

Remediation

No vendor fix or workaround currently provided.

OpenCVE Recommended Actions

  • Upgrade Bulwark Webmail to version 1.4.11 or later.

Generated by OpenCVE AI on April 9, 2026 at 22:57 UTC.

Tracking

Sign in to view the affected projects.

Advisories

No advisories yet.

History

Thu, 09 Apr 2026 21:00:00 +0000

Type Values Removed Values Added
CPEs cpe:2.3:a:bulwarkmail:webmail:*:*:*:*:*:*:*:*

Tue, 07 Apr 2026 20:45:00 +0000

Type Values Removed Values Added
Metrics cvssV3_1

{'score': 6.1, 'vector': 'CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:C/C:L/I:L/A:N'}

ssvc

{'options': {'Automatable': 'no', 'Exploitation': 'none', 'Technical Impact': 'partial'}, 'version': '2.0.3'}

Tue, 07 Apr 2026 09:45:00 +0000

Type Values Removed Values Added
First Time appeared Bulwarkmail
Bulwarkmail webmail
Vendors & Products Bulwarkmail
Bulwarkmail webmail

Tue, 07 Apr 2026 00:00:00 +0000

Type Values Removed Values Added
Description Bulwark Webmail is a self-hosted webmail client for Stalwart Mail Server. Prior to 1.4.11, the reverse proxy (proxy.ts) set the Content-Security-Policy-Report-Only header instead of the enforcing Content-Security-Policy header. This means cross-site scripting (XSS) attacks were logged but not blocked. Any user who could inject script content (e.g., via crafted email HTML) could execute arbitrary JavaScript in the context of the application, potentially stealing session tokens or performing actions on behalf of the user. This vulnerability is fixed in 1.4.11.
Title Content-Security-Policy was set to Report-Only mode, failing to block XSS attacks
Weaknesses CWE-79
References
Metrics cvssV4_0

{'score': 5.3, 'vector': 'CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:P/VC:N/VI:N/VA:N/SC:L/SI:L/SA:N'}

Subscriptions

Bulwarkmail Webmail
cve-icon MITRE

Status: PUBLISHED

Assigner: GitHub_M

Published:

Updated: 2026-04-07T19:33:05.084Z

Reserved: 2026-04-02T17:03:42.074Z

Link: CVE-2026-35390

cve-icon Vulnrichment

Updated: 2026-04-07T19:33:00.604Z

cve-icon NVD

Status : Analyzed

Published: 2026-04-06T21:16:20.723

Modified: 2026-04-09T20:49:31.790

Link: CVE-2026-35390

cve-icon Redhat

No data.

cve-icon OpenCVE Enrichment

Updated: 2026-04-10T09:45:06Z

Weaknesses