Reflected XSS in WEBCON BPS_CVE-2026-1630

5.1 / 10

MEDIUM

CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:A/VC:N/VI:N/VA:N/SC:L/SI:L/SA:N

Description

WEBCON BPS is vulnerable to Reflected XSS via one of parameters used by "/openinmobileapp" endpoint. An attacker can send a specially crafted URL that, when opened by an authenticated user, results in arbitrary JavaScript execution in the victim's browser.

This issue was fixed in versions 2026.1.3.109 and 2025.2.1.293.

Basic Information

ID CVE-2026-1630

Source CERT-PL

Published May 14, 2026 at 13:24

Affected Product

Vendor WEBCON

Product WEBCON BPS

Version 2026.1.1.45

Affected Versions WEBCON WEBCON BPS 2026.1.1.45
WEBCON WEBCON BPS 2025.1.1.87

CWE Classification

CWE-79

References

{
    "lastseen": "",
    "description": "WEBCON BPS is vulnerable to Reflected XSS via one of parameters used by \"/openinmobileapp\" endpoint.\u00a0An attacker can send a specially crafted URL that, when opened by an authenticated user, results in arbitrary JavaScript execution in the victim's browser.\n\nThis issue was fixed in versions 2026.1.3.109 and 2025.2.1.293.",
    "published": "2026-05-14T13:24:14.616Z",
    "modified": "2026-05-14T13:24:14.616Z",
    "type": "cve",
    "title": "Reflected XSS in WEBCON BPS",
    "source": "CERT-PL",
    "references": "https://cert.pl/en/posts/2026/05/CVE-2026-1630/\nhttps://community.webcon.com/download/changelog/398?q=db746ec\nhttps://community.webcon.com/download/changelog/394?q=6a8b113",
    "id": "CVE-2026-1630",
    "bulletinFamily": "",
    "cwe": [
        "CWE-79"
    ],
    "cvelist": null,
    "sourceData": "WEBCON WEBCON BPS 2026.1.1.45\nWEBCON WEBCON BPS 2025.1.1.87",
    "sourceHref": "",
    "cvss": {
        "score": 5.1,
        "severity": "MEDIUM",
        "vector": "CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:A/VC:N/VI:N/VA:N/SC:L/SI:L/SA:N",
        "version": "4.0"
    },
    "cvss2": [],
    "cvss3": {
        "version": "",
        "vectorString": "",
        "baseScore": 0,
        "baseSeverity": "",
        "attackVector": "",
        "attackComplexity": "",
        "privilegesRequired": "",
        "userInteraction": "",
        "scope": "",
        "confidentialityImpact": "",
        "integrityImpact": "",
        "availabilityImpact": "",
        "cvssV3": {
            "version": "",
            "vectorString": "",
            "baseScore": 0,
            "baseSeverity": "",
            "attackVector": "",
            "attackComplexity": "",
            "privilegesRequired": "",
            "userInteraction": "",
            "scope": "",
            "confidentialityImpact": "",
            "integrityImpact": "",
            "availabilityImpact": ""
        }
    },
    "href": "",
    "category_name": "CVE",
    "post_link": "",
    "product": "WEBCON BPS",
    "version": "2026.1.1.45",
    "vendor": "WEBCON",
    "ai_description": "",
    "ai_severity": "",
    "ai_vendor": "",
    "ai_product": "",
    "ai_version": "",
    "ai_score": 0
}