CVEDB API

Vulnerabilities

By Date
Known Exploited
Advanced Search

Vulnerable Software

Vendors
Products

Vulnerability Details CVE-2026-35389

Bulwark Webmail is a self-hosted webmail client for Stalwart Mail Server. Prior to 1.4.11, S/MIME signature verification did not validate the certificate trust chain (checkChain: false). Any email signed with a self-signed or untrusted certificate was displayed as having a valid signature. This vulnerability is fixed in 1.4.11.

Exploit prediction scoring system (EPSS) score

EPSS Score 0.0

EPSS Ranking 6.3%

CVSS Severity

CVSS v3 Score 7.5

References

https://github.com/bulwarkmail/webmail/security/advisories/GHSA-v6w6-338p-p256

Products affected by CVE-2026-35389

Bulwarkmail » Webmail » Version: Any

cpe:2.3:a:bulwarkmail:webmail:*

Vulnerabilities

Vulnerable Software

Vulnerability Details CVE-2026-35389

Products

Pricing

Contact Us