CVE-2026-35390

Source
https://cve.org/CVERecord?id=CVE-2026-35390
Import Source
https://storage.googleapis.com/cve-osv-conversion/osv-output/CVE-2026-35390.json
JSON Data
https://api.osv.dev/v1/vulns/CVE-2026-35390
Aliases
  • GHSA-6q52-98cr-qx65
Published
2026-04-06T20:13:30.093Z
Modified
2026-07-15T01:49:14.283646917Z
Severity
  • 5.3 (Medium) CVSS_V4 - CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:P/VC:N/VI:N/VA:N/SC:L/SI:L/SA:N CVSS Calculator
Summary
Content-Security-Policy was set to Report-Only mode, failing to block XSS attacks
Details

Bulwark Webmail is a self-hosted webmail client for Stalwart Mail Server. Prior to 1.4.11, the reverse proxy (proxy.ts) set the Content-Security-Policy-Report-Only header instead of the enforcing Content-Security-Policy header. This means cross-site scripting (XSS) attacks were logged but not blocked. Any user who could inject script content (e.g., via crafted email HTML) could execute arbitrary JavaScript in the context of the application, potentially stealing session tokens or performing actions on behalf of the user. This vulnerability is fixed in 1.4.11.

Database specific
{
    "cna_assigner": "GitHub_M",
    "cwe_ids": [
        "CWE-79"
    ],
    "osv_generated_from": "https://github.com/CVEProject/cvelistV5/tree/main/cves/2026/35xxx/CVE-2026-35390.json"
}
References

Affected packages

Git / github.com/bulwarkmail/webmail

Affected ranges

Type
GIT
Repo
https://github.com/bulwarkmail/webmail
Events
Introduced
0 Unknown introduced commit / All previous commits are affected
Fixed
Database specific
{
    "source": [
        "AFFECTED_FIELD",
        "CPE_RANGE"
    ],
    "cpe": "cpe:2.3:a:bulwarkmail:webmail:*:*:*:*:*:*:*:*",
    "extracted_events": [
        {
            "introduced": "0"
        },
        {
            "fixed": "1.4.11"
        }
    ]
}

Affected versions

1.*
1.3.0
1.3.9
1.4.0
1.4.10
1.4.2
1.4.3
1.4.4
1.4.5
1.4.6
1.4.7
1.4.8
1.4.9

Database specific

source
"https://storage.googleapis.com/cve-osv-conversion/osv-output/CVE-2026-35390.json"