CVE-2026-1630

Vulnerability Description

WEBCON BPS is vulnerable to Reflected XSS via one of parameters used by "/openinmobileapp" endpoint. An attacker can send a specially crafted URL that, when opened by an authenticated user, results in arbitrary JavaScript execution in the victim's browser. This issue was fixed in versions 2026.1.3.109 and 2025.2.1.293.

Related Weaknesses (CWE)

CWE-79

References

https://cert.pl/en/posts/2026/05/CVE-2026-1630/
https://community.webcon.com/download/changelog/394?q=6a8b113
https://community.webcon.com/download/changelog/398?q=db746ec

FAQ

What is CVE-2026-1630?

CVE-2026-1630 is a documented vulnerability. WEBCON BPS is vulnerable to Reflected XSS via one of parameters used by "/openinmobileapp" endpoint. An attacker can send a specially crafted URL that, when opened by an authenticated user, results in...

How severe is CVE-2026-1630?

CVSS scoring is not yet available for CVE-2026-1630. Check NVD for updates.

Is there a patch for CVE-2026-1630?

Check the references section above for vendor advisories and patch information. Review vendor security bulletins for remediation guidance.