CVE-2026-1630

WEBCON BPS is vulnerable to Reflected XSS via one of parameters used by "/openinmobileapp" endpoint. An attacker can send a specially crafted URL that, when opened by an authenticated user, results in arbitrary JavaScript execution in the victim's browser. This issue was fixed in versions 2026.1.3.109 and 2025.2.1.293.
CVSS

No CVSS.

Configurations

No configuration.

History

14 May 2026, 14:16

Type Values Removed Values Added
New CVE

Information

Published : 2026-05-14 14:16

Updated : 2026-06-17 10:16


NVD link : CVE-2026-1630

Mitre link : CVE-2026-1630

CVE.ORG link : CVE-2026-1630


JSON object : View

Products Affected

No product.

CWE
CWE-79

Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting')