CVE-2026-35390 MEDIUM

CVE-2026-35390: Content-Security-Policy was set to Report-Only mode, failing to block XSS attacks

Vendor Bulwarkmail
Product webmail
Weakness CWE-79 · XSS
Published April 6, 2026
Last update April 7, 2026
View on NVD All CVEs

CVSS base score

5.3/10
Attack vector Network
Attack complexity Low
Privileges required None
User interaction
Confidentiality
Integrity

CVSS vector

CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:P/VC:N/VI:N/VA:N/SC:L/SI:L/SA:N

What the vulnerability does

01Description

Bulwark Webmail is a self-hosted webmail client for Stalwart Mail Server. Prior to 1.4.11, the reverse proxy (proxy.ts) set the Content-Security-Policy-Report-Only header instead of the enforcing Content-Security-Policy header. This means cross-site scripting (XSS) attacks were logged but not blocked. Any user who could inject script content (e.g., via crafted email HTML) could execute arbitrary JavaScript in the context of the application, potentially stealing session tokens or performing actions on behalf of the user. This vulnerability is fixed in 1.4.11.

Key dates

02Disclosure timeline

April 6, 2026 CVE published
April 7, 2026 Record updated

Related vulnerabilities

04Related CVE

CVE-2025-12837 aThemes Addons for Elementor <= 1.1.5 - Authenticated (Contributor+) Stored Cross-Site Scripting via Call To Action Widget CVE-2016-9472 CVE-2023-5381 Elementor Addon Elements <= 1.12.7 - Authenticated (Administrator+) Stored Cross-Site Scripting CVE-2023-41666 WordPress Stock Quotes List Plugin <= 2.9.9 is vulnerable to Cross Site Scripting (XSS) CVE-2024-12493 Files Download Delay <= 1.0.9 - Authenticated (Contributor+) Stored Cross-Site Scripting