Nixpkgs security tracker

Permalink CVE-2026-35389

created 1 month ago Activity log

Created suggestion 1 month ago

Bulwark Webmail S/MIME signature verification accepted self-signed certificates

Bulwark Webmail is a self-hosted webmail client for Stalwart Mail Server. Prior to 1.4.11, S/MIME signature verification did not validate the certificate trust chain (checkChain: false). Any email signed with a self-signed or untrusted certificate was displayed as having a valid signature. This vulnerability is fixed in 1.4.11.

References

https://github.com/bulwarkmail/webmail/security/advisories/GHSA-v6w6-338p-p256 x_refsource_CONFIRM

Affected products

webmail

==< 1.4.11

Matching in nixpkgs

pkgs.ayatana-webmail

Webmail notifications and actions for any desktop

nixos-unstable 24.5.17
- nixpkgs-unstable 24.5.17
- nixos-unstable-small 24.5.17
nixos-25.11 24.5.17
- nixos-25.11-small 24.5.17
- nixpkgs-25.11-darwin 24.5.17

Package maintainers

@doronbehar Doron Behar <me@doronbehar.com>

Permalink CVE-2026-35390

created 1 month ago Activity log

Created suggestion 1 month ago

Content-Security-Policy was set to Report-Only mode, failing to block XSS attacks

Bulwark Webmail is a self-hosted webmail client for Stalwart Mail Server. Prior to 1.4.11, the reverse proxy (proxy.ts) set the Content-Security-Policy-Report-Only header instead of the enforcing Content-Security-Policy header. This means cross-site scripting (XSS) attacks were logged but not blocked. Any user who could inject script content (e.g., via crafted email HTML) could execute arbitrary JavaScript in the context of the application, potentially stealing session tokens or performing actions on behalf of the user. This vulnerability is fixed in 1.4.11.

References

https://github.com/bulwarkmail/webmail/security/advisories/GHSA-6q52-98cr-qx65 x_refsource_CONFIRM

Affected products

webmail

==< 1.4.11

Matching in nixpkgs

pkgs.ayatana-webmail

Webmail notifications and actions for any desktop

nixos-unstable 24.5.17
- nixpkgs-unstable 24.5.17
- nixos-unstable-small 24.5.17
nixos-25.11 24.5.17
- nixos-25.11-small 24.5.17
- nixpkgs-25.11-darwin 24.5.17

Package maintainers

@doronbehar Doron Behar <me@doronbehar.com>

Permalink CVE-2026-35537

3.7 LOW

CVSS version (CVSS): 3.1
Attack Vector (AV): Network (N)
Attack Complexity (AC): High (H)
Privileges Required (PR): None (N)
User Interaction (UI): None (N)
Scope (S): Unchanged (U)
Confidentiality (C): None (N)
Integrity (I): Low (L)
Availability (A): None (N)
Modified Attack Vector (MAV): Network (N)
Modified Attack Complexity (MAC): High (H)
Modified Privileges Required (MPR): None (N)
Modified User Interaction (MUI): None (N)
Modified Confidentiality (MC): None (N)
Modified Scope (MS): Unchanged (U)
Modified Integrity (MI): Low (L)
Modified Availability (MA): None (N)

created 1 month, 1 week ago Activity log

Created suggestion 1 month, 1 week ago

An issue was discovered in Roundcube Webmail before 1.5.14 and …

An issue was discovered in Roundcube Webmail before 1.5.14 and 1.6.14. Unsafe deserialization in the redis/memcache session handler may lead to arbitrary file write operations by unauthenticated attackers via crafted session data.

References

Affected products

Webmail

<1.6.14
<1.5.14

Matching in nixpkgs

pkgs.ayatana-webmail

Webmail notifications and actions for any desktop

nixos-unstable 24.5.17
- nixpkgs-unstable 24.5.17
- nixos-unstable-small 24.5.17
nixos-25.11 24.5.17
- nixos-25.11-small 24.5.17
- nixpkgs-25.11-darwin 24.5.17

Package maintainers

@doronbehar Doron Behar <me@doronbehar.com>

Permalink CVE-2026-35541

4.2 MEDIUM

CVSS version (CVSS): 3.1
Attack Vector (AV): Network (N)
Attack Complexity (AC): High (H)
Privileges Required (PR): Low (L)
User Interaction (UI): None (N)
Scope (S): Unchanged (U)
Confidentiality (C): Low (L)
Integrity (I): Low (L)
Availability (A): None (N)
Modified Attack Vector (MAV): Network (N)
Modified Attack Complexity (MAC): High (H)
Modified Privileges Required (MPR): Low (L)
Modified User Interaction (MUI): None (N)
Modified Confidentiality (MC): Low (L)
Modified Scope (MS): Unchanged (U)
Modified Integrity (MI): Low (L)
Modified Availability (MA): None (N)

created 1 month, 1 week ago Activity log

Created suggestion 1 month, 1 week ago

An issue was discovered in Roundcube Webmail before 1.5.14 and …

An issue was discovered in Roundcube Webmail before 1.5.14 and 1.6.14. Incorrect password comparison in the password plugin could lead to type confusion that allows a password change without knowing the old password.

References

Affected products

Webmail

<1.6.14
<1.5.14

Matching in nixpkgs

pkgs.ayatana-webmail

Webmail notifications and actions for any desktop

nixos-unstable 24.5.17
- nixpkgs-unstable 24.5.17
- nixos-unstable-small 24.5.17
nixos-25.11 24.5.17
- nixos-25.11-small 24.5.17
- nixpkgs-25.11-darwin 24.5.17

Package maintainers

@doronbehar Doron Behar <me@doronbehar.com>

Permalink CVE-2026-35545

5.3 MEDIUM

CVSS version (CVSS): 3.1
Attack Vector (AV): Network (N)
Attack Complexity (AC): Low (L)
Privileges Required (PR): None (N)
User Interaction (UI): None (N)
Scope (S): Unchanged (U)
Confidentiality (C): None (N)
Integrity (I): Low (L)
Availability (A): None (N)
Modified Attack Vector (MAV): Network (N)
Modified Attack Complexity (MAC): Low (L)
Modified Privileges Required (MPR): None (N)
Modified User Interaction (MUI): None (N)
Modified Confidentiality (MC): None (N)
Modified Scope (MS): Unchanged (U)
Modified Integrity (MI): Low (L)
Modified Availability (MA): None (N)

created 1 month, 1 week ago Activity log

Created suggestion 1 month, 1 week ago

An issue was discovered in Roundcube Webmail before 1.5.15 and …

An issue was discovered in Roundcube Webmail before 1.5.15 and 1.6.15. The remote image blocking feature can be bypassed via SVG content in an e-mail message. This may lead to information disclosure or access-control bypass. This involves the animate element with attributeName=fill/filter/stroke.

References

Affected products

Webmail

<1.6.15
<1.5.15

Matching in nixpkgs

pkgs.ayatana-webmail

Webmail notifications and actions for any desktop

nixos-unstable 24.5.17
- nixpkgs-unstable 24.5.17
- nixos-unstable-small 24.5.17
nixos-25.11 24.5.17
- nixos-25.11-small 24.5.17
- nixpkgs-25.11-darwin 24.5.17

Package maintainers

@doronbehar Doron Behar <me@doronbehar.com>

Permalink CVE-2026-35538

3.1 LOW

CVSS version (CVSS): 3.1
Attack Vector (AV): Network (N)
Attack Complexity (AC): High (H)
Privileges Required (PR): Low (L)
User Interaction (UI): None (N)
Scope (S): Unchanged (U)
Confidentiality (C): None (N)
Integrity (I): Low (L)
Availability (A): None (N)
Modified Attack Vector (MAV): Network (N)
Modified Attack Complexity (MAC): High (H)
Modified Privileges Required (MPR): Low (L)
Modified User Interaction (MUI): None (N)
Modified Confidentiality (MC): None (N)
Modified Scope (MS): Unchanged (U)
Modified Integrity (MI): Low (L)
Modified Availability (MA): None (N)

created 1 month, 1 week ago Activity log

Created suggestion 1 month, 1 week ago

An issue was discovered in Roundcube Webmail before 1.5.14 and …

An issue was discovered in Roundcube Webmail before 1.5.14 and 1.6.14. Unsanitized IMAP SEARCH command arguments could lead to IMAP injection or CSRF bypass during mail search.

References

Affected products

Webmail

<1.6.14
<1.5.14

Matching in nixpkgs

pkgs.ayatana-webmail

Webmail notifications and actions for any desktop

nixos-unstable 24.5.17
- nixpkgs-unstable 24.5.17
- nixos-unstable-small 24.5.17
nixos-25.11 24.5.17
- nixos-25.11-small 24.5.17
- nixpkgs-25.11-darwin 24.5.17

Package maintainers

@doronbehar Doron Behar <me@doronbehar.com>

Permalink CVE-2026-35540

5.4 MEDIUM

CVSS version (CVSS): 3.1
Attack Vector (AV): Network (N)
Attack Complexity (AC): High (H)
Privileges Required (PR): None (N)
User Interaction (UI): None (N)
Scope (S): Changed (C)
Confidentiality (C): Low (L)
Integrity (I): Low (L)
Availability (A): None (N)
Modified Attack Vector (MAV): Network (N)
Modified Attack Complexity (MAC): High (H)
Modified Privileges Required (MPR): None (N)
Modified User Interaction (MUI): None (N)
Modified Confidentiality (MC): Low (L)
Modified Scope (MS): Changed (C)
Modified Integrity (MI): Low (L)
Modified Availability (MA): None (N)

created 1 month, 1 week ago Activity log

Created suggestion 1 month, 1 week ago

An issue was discovered in Roundcube Webmail 1.6.0 before 1.6.14. …

An issue was discovered in Roundcube Webmail 1.6.0 before 1.6.14. Insufficient Cascading Style Sheets (CSS) sanitization in HTML e-mail messages may lead to SSRF or Information Disclosure, e.g., if stylesheet links point to local network hosts.

References

Affected products

Webmail

<1.6.14

Matching in nixpkgs

pkgs.ayatana-webmail

Webmail notifications and actions for any desktop

nixos-unstable 24.5.17
- nixpkgs-unstable 24.5.17
- nixos-unstable-small 24.5.17
nixos-25.11 24.5.17
- nixos-25.11-small 24.5.17
- nixpkgs-25.11-darwin 24.5.17

Package maintainers

@doronbehar Doron Behar <me@doronbehar.com>

Permalink CVE-2026-35544

5.3 MEDIUM

CVSS version (CVSS): 3.1
Attack Vector (AV): Network (N)
Attack Complexity (AC): Low (L)
Privileges Required (PR): None (N)
User Interaction (UI): None (N)
Scope (S): Unchanged (U)
Confidentiality (C): None (N)
Integrity (I): Low (L)
Availability (A): None (N)
Modified Attack Vector (MAV): Network (N)
Modified Attack Complexity (MAC): Low (L)
Modified Privileges Required (MPR): None (N)
Modified User Interaction (MUI): None (N)
Modified Confidentiality (MC): None (N)
Modified Scope (MS): Unchanged (U)
Modified Integrity (MI): Low (L)
Modified Availability (MA): None (N)

created 1 month, 1 week ago Activity log

Created suggestion 1 month, 1 week ago

An issue was discovered in Roundcube Webmail before 1.5.14 and …

An issue was discovered in Roundcube Webmail before 1.5.14 and 1.6.14. Insufficient Cascading Style Sheets (CSS) sanitization in HTML e-mail messages may lead to a fixed-position mitigation bypass via the use of !important.

References

Affected products

Webmail

<1.6.14
<1.5.14

Matching in nixpkgs

pkgs.ayatana-webmail

Webmail notifications and actions for any desktop

nixos-unstable 24.5.17
- nixpkgs-unstable 24.5.17
- nixos-unstable-small 24.5.17
nixos-25.11 24.5.17
- nixos-25.11-small 24.5.17
- nixpkgs-25.11-darwin 24.5.17

Package maintainers

@doronbehar Doron Behar <me@doronbehar.com>

Permalink CVE-2026-35543

5.3 MEDIUM

CVSS version (CVSS): 3.1
Attack Vector (AV): Network (N)
Attack Complexity (AC): Low (L)
Privileges Required (PR): None (N)
User Interaction (UI): None (N)
Scope (S): Unchanged (U)
Confidentiality (C): Low (L)
Integrity (I): None (N)
Availability (A): None (N)
Modified Attack Vector (MAV): Network (N)
Modified Attack Complexity (MAC): Low (L)
Modified Privileges Required (MPR): None (N)
Modified User Interaction (MUI): None (N)
Modified Confidentiality (MC): Low (L)
Modified Scope (MS): Unchanged (U)
Modified Integrity (MI): None (N)
Modified Availability (MA): None (N)

created 1 month, 1 week ago Activity log

Created suggestion 1 month, 1 week ago

An issue was discovered in Roundcube Webmail before 1.5.14 and …

An issue was discovered in Roundcube Webmail before 1.5.14 and 1.6.14. The remote image blocking feature can be bypassed via SVG content (with animate attributes) in an e-mail message. This may lead to information disclosure or access-control bypass.

References

Affected products

Webmail

<1.6.14
<1.5.14

Matching in nixpkgs

pkgs.ayatana-webmail

Webmail notifications and actions for any desktop

nixos-unstable 24.5.17
- nixpkgs-unstable 24.5.17
- nixos-unstable-small 24.5.17
nixos-25.11 24.5.17
- nixos-25.11-small 24.5.17
- nixpkgs-25.11-darwin 24.5.17

Package maintainers

@doronbehar Doron Behar <me@doronbehar.com>

Permalink CVE-2026-35539

6.1 MEDIUM

CVSS version (CVSS): 3.1
Attack Vector (AV): Network (N)
Attack Complexity (AC): Low (L)
Privileges Required (PR): None (N)
User Interaction (UI): Required (R)
Scope (S): Changed (C)
Confidentiality (C): Low (L)
Integrity (I): Low (L)
Availability (A): None (N)
Modified Attack Vector (MAV): Network (N)
Modified Attack Complexity (MAC): Low (L)
Modified Privileges Required (MPR): None (N)
Modified User Interaction (MUI): Required (R)
Modified Confidentiality (MC): Low (L)
Modified Scope (MS): Changed (C)
Modified Integrity (MI): Low (L)
Modified Availability (MA): None (N)

created 1 month, 1 week ago Activity log

Created suggestion 1 month, 1 week ago

An issue was discovered in Roundcube Webmail before 1.5.14 and …

An issue was discovered in Roundcube Webmail before 1.5.14 and 1.6.14. XSS exists because of insufficient HTML attachment sanitization in preview mode. A victim must preview a text/html attachment.

References

Affected products

Webmail

<1.6.14
<1.5.14

Matching in nixpkgs

pkgs.ayatana-webmail

Webmail notifications and actions for any desktop

nixos-unstable 24.5.17
- nixpkgs-unstable 24.5.17
- nixos-unstable-small 24.5.17
nixos-25.11 24.5.17
- nixos-25.11-small 24.5.17
- nixpkgs-25.11-darwin 24.5.17

Package maintainers

@doronbehar Doron Behar <me@doronbehar.com>

Suggestions search

References

Affected products

Matching in nixpkgs

pkgs.ayatana-webmail

Package maintainers

References

Affected products

Matching in nixpkgs

pkgs.ayatana-webmail

Package maintainers

References

Affected products

Matching in nixpkgs

pkgs.ayatana-webmail

Package maintainers

References

Affected products

Matching in nixpkgs

pkgs.ayatana-webmail

Package maintainers

References

Affected products

Matching in nixpkgs

pkgs.ayatana-webmail

Package maintainers

References

Affected products

Matching in nixpkgs

pkgs.ayatana-webmail

Package maintainers

References

Affected products

Matching in nixpkgs

pkgs.ayatana-webmail

Package maintainers

References

Affected products

Matching in nixpkgs

pkgs.ayatana-webmail

Package maintainers

References

Affected products

Matching in nixpkgs

pkgs.ayatana-webmail

Package maintainers

References

Affected products

Matching in nixpkgs

pkgs.ayatana-webmail

Package maintainers