PT-2026-30728 · Unknown · Stalwart Mail Server+1
Richardweinberger
·
Published
2026-04-06
·
Updated
2026-04-06
·
CVE-2026-35390
CVSS v4.0
5.3
Medium
| AV:N/AC:L/AT:N/PR:N/UI:P/VC:N/VI:N/VA:N/SC:L/SI:L/SA:N/E:X/CR:X/IR:X/AR:X/MAV:X/MAC:X/MAT:X/MPR:X/MUI:X/MVC:X/MVI:X/MVA:X/MSC:X/MSI:X/MSA:X/S:X/AU:X/R:X/V:X/RE:X/U:X |
Name of the Vulnerable Software and Affected Versions
Bulwark Webmail versions prior to 1.4.11
Description
Bulwark Webmail, a self-hosted webmail client for Stalwart Mail Server, was affected by an issue where the reverse proxy (proxy.ts) incorrectly set the Content-Security-Policy-Report-Only header instead of the enforcing Content-Security-Policy header. This allowed cross-site scripting (XSS) attacks to be logged without being blocked. An attacker who could inject script content, such as through crafted email HTML, could execute arbitrary JavaScript in the application's context, potentially leading to session token theft or unauthorized actions performed on behalf of the user.
Recommendations
Update Bulwark Webmail to version 1.4.11 or later.
Fix
XSS
Found an issue in the description? Have something to add? Feel free to write us 👾
Weakness Enumeration
Related Identifiers
Affected Products
Bulwark Webmail
Stalwart Mail Server