WEBCON BPS is vulnerable to Reflected XSS via one of parameters used by "/openinmobileapp" endpoint. An attacker can send a specially crafted URL that, when opened by an authenticated user, results in arbitrary JavaScript execution in the victim's browser.
This issue was fixed in versions 2026.1.3.109 and 2025.2.1.293.
CVSS
No CVSS.
References
Configurations
No configuration.
History
14 May 2026, 14:16
| Type | Values Removed | Values Added |
|---|---|---|
| New CVE |
Information
Published : 2026-05-14 14:16
Updated : 2026-06-17 10:16
NVD link : CVE-2026-1630
Mitre link : CVE-2026-1630
CVE.ORG link : CVE-2026-1630
JSON object : View
Products Affected
No product.
CWE
CWE-79
Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting')
