Content-Security-Policy was set to Report-Only mode, failing to block XSS...

5.3 / 10

MEDIUM

CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:P/VC:N/VI:N/VA:N/SC:L/SI:L/SA:N

Description

Bulwark Webmail is a self-hosted webmail client for Stalwart Mail Server. Prior to 1.4.11, the reverse proxy (proxy.ts) set the Content-Security-Policy-Report-Only header instead of the enforcing Content-Security-Policy header. This means cross-site scripting (XSS) attacks were logged but not blocked. Any user who could inject script content (e.g., via crafted email HTML) could execute arbitrary JavaScript in the context of the application, potentially stealing session tokens or performing actions on behalf of the user. This vulnerability is fixed in 1.4.11.

Basic Information

ID CVE-2026-35390

Source GitHub_M

Published Apr 6, 2026 at 20:13

Modified Apr 7, 2026 at 19:33

Affected Product

Vendor bulwarkmail

Product webmail

Version < 1.4.11

Affected Versions bulwarkmail webmail < 1.4.11

CWE Classification

CWE-79

References

github.com /bulwarkmail/webmail/security/advisories/GHSA-6q52-98cr-qx65

{
    "lastseen": "",
    "description": "Bulwark Webmail is a self-hosted webmail client for Stalwart Mail Server. Prior to 1.4.11, the reverse proxy (proxy.ts) set the Content-Security-Policy-Report-Only header instead of the enforcing Content-Security-Policy header. This means cross-site scripting (XSS) attacks were logged but not blocked. Any user who could inject script content (e.g., via crafted email HTML) could execute arbitrary JavaScript in the context of the application, potentially stealing session tokens or performing actions on behalf of the user. This vulnerability is fixed in 1.4.11.",
    "published": "2026-04-06T20:13:30.093Z",
    "modified": "2026-04-07T19:33:05.084Z",
    "type": "cve",
    "title": "Content-Security-Policy was set to Report-Only mode, failing to block XSS attacks",
    "source": "GitHub_M",
    "references": "https://github.com/bulwarkmail/webmail/security/advisories/GHSA-6q52-98cr-qx65",
    "id": "CVE-2026-35390",
    "bulletinFamily": "",
    "cwe": [
        "CWE-79"
    ],
    "cvelist": null,
    "sourceData": "bulwarkmail webmail < 1.4.11",
    "sourceHref": "",
    "cvss": {
        "score": 5.3,
        "severity": "MEDIUM",
        "vector": "CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:P/VC:N/VI:N/VA:N/SC:L/SI:L/SA:N",
        "version": "4.0"
    },
    "cvss2": [],
    "cvss3": {
        "version": "",
        "vectorString": "",
        "baseScore": 0,
        "baseSeverity": "",
        "attackVector": "",
        "attackComplexity": "",
        "privilegesRequired": "",
        "userInteraction": "",
        "scope": "",
        "confidentialityImpact": "",
        "integrityImpact": "",
        "availabilityImpact": "",
        "cvssV3": {
            "version": "",
            "vectorString": "",
            "baseScore": 0,
            "baseSeverity": "",
            "attackVector": "",
            "attackComplexity": "",
            "privilegesRequired": "",
            "userInteraction": "",
            "scope": "",
            "confidentialityImpact": "",
            "integrityImpact": "",
            "availabilityImpact": ""
        }
    },
    "href": "",
    "category_name": "CVE",
    "post_link": "",
    "product": "webmail",
    "version": "< 1.4.11",
    "vendor": "bulwarkmail",
    "ai_description": "",
    "ai_severity": "",
    "ai_vendor": "",
    "ai_product": "",
    "ai_version": "",
    "ai_score": 0
}

Content-Security-Policy was set to Report-Only mode, failing to block XSS attacks_CVE-2026-35390