CVE-2026-1630

UNKNOWN 0.0

Reflected XSS in WEBCON BPS

CVSS Score

0.0

EPSS Score

0.0%

EPSS Percentile

0th

WEBCON BPS is vulnerable to Reflected XSS via one of parameters used by "/openinmobileapp" endpoint. An attacker can send a specially crafted URL that, when opened by an authenticated user, results in arbitrary JavaScript execution in the victim's browser. This issue was fixed in versions 2026.1.3.109 and 2025.2.1.293.

CWE	CWE-79
Vendor	webcon
Product	webcon bps
Published	May 14, 2026

Stay Ahead of the Next One

Get instant alerts for webcon webcon bps

Be the first to know when new unknown vulnerabilities affecting webcon webcon bps are published — delivered to Slack, Telegram or Discord.

Get Free Alerts → Free · No credit card · 60 sec setup

Affected Versions

WEBCON / WEBCON BPS

2026.1.1.45 < 2026.1.3.109 2025.1.1.87 < 2025.2.1.293

References

NVD ↗ CVE.org ↗ EPSS Data ↗

cert.pl: https://cert.pl/en/posts/2026/05/CVE-2026-1630/ community.webcon.com: https://community.webcon.com/download/changelog/398?q=db746ec community.webcon.com: https://community.webcon.com/download/changelog/394?q=6a8b113

Credits

Konrad Szczepaniak