Vulnerability in Bulwarkmail Webmail
CVE-2026-35391
Bulwark Webmail is a self-hosted webmail client for Stalwart Mail Server. Prior to 1.4.11, the getClientIP() function in lib/admin/session.ts trusted the first (leftmost) entry of the X-Forwarded-For header, which is fully controlled by th…
EPSS: 0.000 (6.4th percentile) — read the EPSS interpretation.
Affected products
- Bulwarkmail Webmail — versions < 1.4.11
Weakness classification (CWE)
References
- https://github.com/bulwarkmail/webmail/security/advisories/GHSA-7pj2-232x-6698 (x_refsource_CONFIRM)