Description
WEBCON BPS is vulnerable to Reflected XSS via one of parameters used by "/openinmobileapp" endpoint. An attacker can send a specially crafted URL that, when opened by an authenticated user, results in arbitrary JavaScript execution in the victim's browser. This issue was fixed in versions 2026.1.3.109 and 2025.2.1.293.
References (3)
Core 3
Core References
Third Party Advisory third-party-advisory
https://cert.pl/en/posts/2026/05/CVE-2026-1630/
Release Notes release-notes
https://community.webcon.com/download/changelog/398?q=db746ec
Release Notes release-notes
https://community.webcon.com/download/changelog/394?q=6a8b113
Scores
CVSS v4
5.1
EPSS
0.0043
EPSS Percentile
34.2%
CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:A/VC:N/VI:N/VA:N/SC:L/SI:L/SA:N/E:X/CR:X/IR:X/AR:X/MAV:X/MAC:X/MAT:X/MPR:X/MUI:X/MVC:X/MVI:X/MVA:X/MSC:X/MSI:X/MSA:X/S:X/AU:X/R:X/V:X/RE:X/U:X
CISA SSVC
Vulnrichment
Exploitation
none
Automatable
no
Technical Impact
partial
Details
CWE
CWE-79
Status
published
Products (2)
WEBCON/WEBCON BPS
2025.1.1.87 - 2025.2.1.293
WEBCON/WEBCON BPS
2026.1.1.45 - 2026.1.3.109
Published
May 14, 2026
Tracked Since
May 14, 2026