Content-Security-Policy was set to Report-Only mode, failing to block XSS attacks

Description

A vulnerability classified as problematic was found in bulwarkmail webmail up to 1.4.10. The impacted element is an unknown function of the component Email Handler. Such manipulation of the argument Content-Security-Policy-Report-Only leads to cross site scripting. This vulnerability is referenced as CVE-2026-35390. It is possible to launch the attack remotely. No exploit is available. Upgrading the affected component is advised.

Affected Products

Vendor	Product	Versions
bulwarkmail	webmail	< 1.4.11

References

https://github.com/bulwarkmail/webmail/security/advisories/GHSA-6q52-98cr-qx65(x_refsource_CONFIRM)

Related News (1 articles)

Tier C

VulDB2h ago

CVE-2026-35390 | bulwarkmail webmail up to 1.4.10 Email Content-Security-Policy-Report-Only cross site scripting

→ No new info (linked only)

CISA KEV❌ No

Actively exploited✅ Yes

Patch available

1.4.11

CWECWE-79

PublishedApr 6, 2026

Last enriched2h agov2

Trending Score47

Source articles1

Independent1

Info Completeness8/14

Missing: cvss, epss, kev, exploit, iocs, mitre_attack

Community Vote

0 upvotes0 downvotes

No votes yet

Related CVEs (3)

Version History

Last enriched 2h ago

v2Tier C2h ago

Updated description with new technical details, changed severity to HIGH, and noted that no exploit is available.

descriptionseverityactivelyExploitedpatchAvailable

via VulDB

v12h ago

Initial creation