CVE-2026-1630 MEDIUM

CVE-2026-1630: Reflected XSS in WEBCON BPS

Vendor Webcon

Product WEBCON BPS

Weakness CWE-79 · XSS

Published May 14, 2026

Last update May 14, 2026

View on NVD All CVEs

CVSS base score

5.1/10

Attack vector Network

Attack complexity Low

Privileges required None

User interaction —

Confidentiality —

Integrity —

CVSS vector

CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:A/VC:N/VI:N/VA:N/SC:L/SI:L/SA:N

What the vulnerability does

01Description

WEBCON BPS is vulnerable to Reflected XSS via one of parameters used by "/openinmobileapp" endpoint. An attacker can send a specially crafted URL that, when opened by an authenticated user, results in arbitrary JavaScript execution in the victim's browser. This issue was fixed in versions 2026.1.3.109 and 2025.2.1.293.

Key dates

02Disclosure timeline

May 14, 2026 CVE published

May 14, 2026 Record updated

External resources

03References

NVD — National Vulnerability Database https://nvd.nist.gov/vuln/detail/CVE-2026-1630

Related vulnerabilities

Identifiers

CVE CVE-2026-1630

CWE CWE-79

CVSS 5.1 / MEDIUM

Affected versions

Vendor Webcon

Product WEBCON BPS

Affected ≥ 2026.1.1.45 and < 2026.1.3.109

Vendor Webcon

Product WEBCON BPS

Affected ≥ 2025.1.1.87 and < 2025.2.1.293

CVE-2026-1630: Reflected XSS in WEBCON BPS

01Description

02Disclosure timeline

03References

04Related CVE