CVE-2026-1630

Severity CVSS v4.0:
MEDIUM
Type:
CWE-79 Cross-Site Scripting (XSS)
Publication date:
14/05/2026
Last modified:
14/05/2026

Description

WEBCON BPS is vulnerable to Reflected XSS via one of parameters used by "/openinmobileapp" endpoint. An attacker can send a specially crafted URL that, when opened by an authenticated user, results in arbitrary JavaScript execution in the victim&amp;#39;s browser.<br /> <br /> This issue was fixed in versions 2026.1.3.109 and 2025.2.1.293.