Vulnerability in Bulwarkmail Webmail

CVE-2026-35389

Bulwark Webmail is a self-hosted webmail client for Stalwart Mail Server. Prior to 1.4.11, S/MIME signature verification did not validate the certificate trust chain (checkChain: false). Any email signed with a self-signed or untrusted cer…

Vulnerability class: Improper Certificate Validation

EPSS: 0.000 (7.1th percentile) — read the EPSS interpretation.