CVE-2026-35390: CWE-79: Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting') in bulwarkmail webmail
Bulwark Webmail versions prior to 1. 4. 11 have a cross-site scripting (XSS) vulnerability due to the reverse proxy setting a Content-Security-Policy-Report-Only header instead of an enforcing Content-Security-Policy header. This allowed script injection via crafted email HTML, enabling execution of arbitrary JavaScript in the application context. The vulnerability is fixed in version 1. 4. 11.
AI Analysis
Technical Summary
CVE-2026-35390 is a cross-site scripting (CWE-79) vulnerability in Bulwark Webmail's reverse proxy component (proxy.ts) before version 1.4.11. The issue arises because the proxy sets the Content-Security-Policy-Report-Only header rather than the enforcing Content-Security-Policy header, which means that malicious scripts injected via crafted email HTML are logged but not blocked. Exploiting this vulnerability allows an attacker to execute arbitrary JavaScript in the context of the webmail application, potentially leading to session token theft or unauthorized actions performed on behalf of the user. The vulnerability is addressed by updating to Bulwark Webmail version 1.4.11 where the correct enforcing header is set.
Potential Impact
Successful exploitation allows arbitrary JavaScript execution within the webmail application context. This can lead to theft of session tokens or unauthorized actions performed by the attacker impersonating the user. The CVSS 4.0 base score is 5.3 (medium severity), reflecting network attack vector, low complexity, no privileges required, and user interaction needed.
Mitigation Recommendations
Upgrade Bulwark Webmail to version 1.4.11 or later, where the reverse proxy sets the enforcing Content-Security-Policy header instead of the Report-Only header, effectively blocking XSS attacks. No other mitigation is specified or required once the update is applied.
CVE-2026-35390: CWE-79: Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting') in bulwarkmail webmail
Description
Bulwark Webmail versions prior to 1. 4. 11 have a cross-site scripting (XSS) vulnerability due to the reverse proxy setting a Content-Security-Policy-Report-Only header instead of an enforcing Content-Security-Policy header. This allowed script injection via crafted email HTML, enabling execution of arbitrary JavaScript in the application context. The vulnerability is fixed in version 1. 4. 11.
AI-Powered Analysis
Machine-generated threat intelligence
Technical Analysis
CVE-2026-35390 is a cross-site scripting (CWE-79) vulnerability in Bulwark Webmail's reverse proxy component (proxy.ts) before version 1.4.11. The issue arises because the proxy sets the Content-Security-Policy-Report-Only header rather than the enforcing Content-Security-Policy header, which means that malicious scripts injected via crafted email HTML are logged but not blocked. Exploiting this vulnerability allows an attacker to execute arbitrary JavaScript in the context of the webmail application, potentially leading to session token theft or unauthorized actions performed on behalf of the user. The vulnerability is addressed by updating to Bulwark Webmail version 1.4.11 where the correct enforcing header is set.
Potential Impact
Successful exploitation allows arbitrary JavaScript execution within the webmail application context. This can lead to theft of session tokens or unauthorized actions performed by the attacker impersonating the user. The CVSS 4.0 base score is 5.3 (medium severity), reflecting network attack vector, low complexity, no privileges required, and user interaction needed.
Mitigation Recommendations
Upgrade Bulwark Webmail to version 1.4.11 or later, where the reverse proxy sets the enforcing Content-Security-Policy header instead of the Report-Only header, effectively blocking XSS attacks. No other mitigation is specified or required once the update is applied.
Technical Details
- Data Version
- 5.2
- Assigner Short Name
- GitHub_M
- Date Reserved
- 2026-04-02T17:03:42.074Z
- Cvss Version
- 4.0
- State
- PUBLISHED
- Remediation Level
- null
Threat ID: 69d417e60a160ebd92da7f88
Added to database: 4/6/2026, 8:30:30 PM
Last enriched: 4/6/2026, 8:46:00 PM
Last updated: 4/6/2026, 10:47:30 PM
Views: 6
Community Reviews
0 reviewsCrowdsource mitigation strategies, share intel context, and vote on the most helpful responses. Sign in to add your voice and help keep defenders ahead.
Want to contribute mitigation steps or threat intel context? Sign in or create an account to join the community discussion.
Actions
Updates to AI analysis require Pro Console access. Upgrade inside Console → Billing.
External Links
Need more coverage?
Upgrade to Pro Console for AI refresh and higher limits.
For incident response and remediation, OffSeq services can help resolve threats faster.
Latest Threats
Check if your credentials are on the dark web
Instant breach scanning across billions of leaked records. Free tier available.