Reflected XSS Vulnerability in WEBCON BPS by WEBCON
CVE-2026-1630

5.1MEDIUM

Key Information:

Vendor: Webcon
Status: Webcon Bps
Vendor: CVE Published:; 14 May 2026

What is CVE-2026-1630?

WEBCON BPS is exposed to a reflected cross-site scripting vulnerability due to improper handling of input passed through the '/openinmobileapp' endpoint. An attacker can craft a malicious URL that executes arbitrary JavaScript when accessed by an authenticated user. This can lead to various forms of exploitation, including data theft and session hijacking. Users are encouraged to update to versions 2026.1.3.109 or 2025.2.1.293 to mitigate this risk.

Affected Version(s)

WEBCON BPS 2026.1.1.45 < 2026.1.3.109

WEBCON BPS 2025.1.1.87 < 2025.2.1.293

References

https://cert.pl/en/posts/2026/05/CVE-2026-1630/

third-party-advisory

https://community.webcon.com/download/changelog/398?q=db7...

release-notes

https://community.webcon.com/download/changelog/394?q=6a8...

release-notes

CVSS V4

Score:

5.1

Severity:

MEDIUM

Confidentiality:

None

Integrity:

None

Availability:

None

Attack Vector:

Network

Attack Complexity:

Low

Attack Required:

None

Privileges Required:

Undefined

User Interaction:

Unknown

Download the Critical Vulnerability Management Cheat Sheet

Timeline

Vulnerability published
May 14, 2026
Vulnerability Reserved
Jan 29, 2026

Credit

Konrad Szczepaniak

CVE-2026-1630 Data

JSON

Webcon

What is CVE-2026-1630?

Affected Version(s)

References

CVSS V4

Timeline

Credit