XSS in Bulwarkmail Webmail

CVE-2026-35390

Bulwark Webmail is a self-hosted webmail client for Stalwart Mail Server. Prior to 1.4.11, the reverse proxy (proxy.ts) set the Content-Security-Policy-Report-Only header instead of the enforcing Content-Security-Policy header. This means…

Vulnerability class: XSS (Cross-Site Scripting)

EPSS: 0.000 (10.7th percentile) — read the EPSS interpretation.