Home

Description

WEBCON BPS is vulnerable to Reflected XSS via one of parameters used by "/openinmobileapp" endpoint. An attacker can send a specially crafted URL that, when opened by an authenticated user, results in arbitrary JavaScript execution in the victim's browser. This issue was fixed in versions 2026.1.3.109 and 2025.2.1.293.

PUBLISHED Reserved 2026-01-29 | Published 2026-05-14 | Updated 2026-05-14 | Assigner CERT-PL




MEDIUM: 5.1CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:A/VC:N/VI:N/VA:N/SC:L/SI:L/SA:N

Problem types

CWE-79 Improper Neutralization of Input During Web Page Generation (XSS or 'Cross-site Scripting')

Product status

Default status
unaffected

2026.1.1.45 (custom) before 2026.1.3.109
affected

2025.1.1.87 (custom) before 2025.2.1.293
affected

Credits

Konrad Szczepaniak finder

References

cert.pl/en/posts/2026/05/CVE-2026-1630/ third-party-advisory

community.webcon.com/download/changelog/398?q=db746ec release-notes

community.webcon.com/download/changelog/394?q=6a8b113 release-notes

cve.org (CVE-2026-1630)

nvd.nist.gov (CVE-2026-1630)

Download JSON