Is there a patch available for EUVD-2026-19479?

Yes, a patch is available for EUVD-2026-19479. Update the affected software to the latest version immediately.

Webmail EUVD-2026-19479

Q: What is the CVSS score of EUVD-2026-19479?

EUVD-2026-19479 has a CVSS 4.0 base score of 5.3 (Medium). CVSS vector: CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:P/VC:N/VI:N/VA:N/SC:L/SI:L/SA:N/E:X/CR:X/IR:X/AR:X/MAV:X/MAC:X/MAT:X/MPR:X/MUI:X/MVC:X/MVI:X/MVA:X/MSC:X/MSI:X/MSA:X/S:X/AU:X/R:X/V:X/RE:X/U:X. EPSS exploitation probability: 0.0%.

| CVE-2026-35390 MEDIUM

Cross-site Scripting (XSS) (CWE-79)

2026-04-06 GitHub_M

XSS Webmail

5.3

CVSS 4.0 · GitHub Advisory

Severity by source

GitHub Advisory PRIMARY

5.3 MEDIUM

CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:P/VC:N/VI:N/VA:N/SC:L/SI:L/SA:N/E:X/CR:X/IR:X/AR:X/MAV:X/MAC:X/MAT:X/MPR:X/MUI:X/MVC:X/MVI:X/MVA:X/MSC:X/MSI:X/MSA:X/S:X/AU:X/R:X/V:X/RE:X/U:X

Primary rating from GitHub Advisory · only source for this CVE.

CVSS VectorGitHub Advisory

CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:P/VC:N/VI:N/VA:N/SC:L/SI:L/SA:N/E:X/CR:X/IR:X/AR:X/MAV:X/MAC:X/MAT:X/MPR:X/MUI:X/MVC:X/MVI:X/MVA:X/MSC:X/MSI:X/MSA:X/S:X/AU:X/R:X/V:X/RE:X/U:X

Attack Vector

Network

Attack Complexity

Low

Privileges Required

None

User Interaction

Scope

Lifecycle Timeline

Patch available

Apr 16, 2026 - 05:29 EUVD

1.4.11

EUVD ID Assigned

Apr 06, 2026 - 21:00 euvd

EUVD-2026-19479

Analysis Generated

Apr 06, 2026 - 21:00 vuln.today

CVE Published

Apr 06, 2026 - 20:13 nvd

MEDIUM 5.3

DescriptionGitHub Advisory

Bulwark Webmail is a self-hosted webmail client for Stalwart Mail Server. Prior to 1.4.11, the reverse proxy (proxy.ts) set the Content-Security-Policy-Report-Only header instead of the enforcing Content-Security-Policy header. This means cross-site scripting (XSS) attacks were logged but not blocked. Any user who could inject script content (e.g., via crafted email HTML) could execute arbitrary JavaScript in the context of the application, potentially stealing session tokens or performing actions on behalf of the user. This vulnerability is fixed in 1.4.11.

AnalysisAI

Bulwark Webmail versions prior to 1.4.11 fail to enforce Content-Security-Policy headers, allowing unauthenticated attackers to execute arbitrary JavaScript through crafted email HTML. The reverse proxy incorrectly uses Content-Security-Policy-Report-Only instead of the enforcing Content-Security-Policy header, enabling XSS attacks that can steal session tokens or perform unauthorized actions on behalf of users. …

Unlock full vulnerability intelligence

Risk assessment & exploitation conditions
Attack chain visualization
Remediation with exact patch versions
Threat intelligence from 22 sources
Personal watchlist & email alerts

Continue with Google Continue with GitHub

Free forever · No credit card required

Vulnerability AssessmentAI

Risk Assessment	The CVSS 5.3 score reflects moderate real-world risk constrained by several mitigating factors. … Full risk analysis with EPSS, KEV, and SSVC signal comparison available after sign-in.
Exploit Scenario	An attacker crafts a malicious email containing embedded JavaScript (e.g., in HTML body or within an image src attribute with JavaScript protocol). When a Bulwark Webmail user opens the email in their browser, the CSP enforcement failure allows the script to execute without restriction. …
Remediation	Upgrade Bulwark Webmail to version 1.4.11 or later, which corrects the reverse proxy configuration to enforce Content-Security-Policy headers instead of Content-Security-Policy-Report-Only. … Detailed patch versions, workarounds, and compensating controls in full report.

Threat intelligence, references, and detailed analysis are available after sign-in.

EUVD-2026-19479 vulnerability details – vuln.today

Back