CVE-2026-1630
Severity CVSS v4.0:
MEDIUM
Type:
CWE-79
Cross-Site Scripting (XSS)
Publication date:
14/05/2026
Last modified:
14/05/2026
Description
WEBCON BPS is vulnerable to Reflected XSS via one of parameters used by "/openinmobileapp" endpoint. An attacker can send a specially crafted URL that, when opened by an authenticated user, results in arbitrary JavaScript execution in the victim&#39;s browser.<br />
<br />
This issue was fixed in versions 2026.1.3.109 and 2025.2.1.293.
Impact
Base Score 4.0
5.10
Severity 4.0
MEDIUM



