Skip to main content

WEBCON BPS CVE-2026-1630

| EUVDEUVD-2026-30279 MEDIUM
Cross-site Scripting (XSS) (CWE-79)
2026-05-14 CERT-PL GHSA-r6h3-9v4w-m3wg
5.1
CVSS 4.0 · NVD
Share

Severity by source

NVD PRIMARY
5.1 MEDIUM
CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:A/VC:N/VI:N/VA:N/SC:L/SI:L/SA:N/E:X/CR:X/IR:X/AR:X/MAV:X/MAC:X/MAT:X/MPR:X/MUI:X/MVC:X/MVI:X/MVA:X/MSC:X/MSI:X/MSA:X/S:X/AU:X/R:X/V:X/RE:X/U:X

Primary rating from NVD · only source for this CVE.

CVSS VectorNVD

CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:A/VC:N/VI:N/VA:N/SC:L/SI:L/SA:N/E:X/CR:X/IR:X/AR:X/MAV:X/MAC:X/MAT:X/MPR:X/MUI:X/MVC:X/MVI:X/MVA:X/MSC:X/MSI:X/MSA:X/S:X/AU:X/R:X/V:X/RE:X/U:X
Attack Vector
Network
Attack Complexity
Low
Privileges Required
None
User Interaction
A
Scope
X

Lifecycle Timeline

5
Analysis Generated
May 14, 2026 - 16:30 vuln.today
Patch available
May 14, 2026 - 15:01 EUVD
CVSS changed
May 14, 2026 - 14:22 NVD
5.1 (MEDIUM)
CVE Published
May 14, 2026 - 13:24 nvd
MEDIUM 5.1
CVE Published
May 14, 2026 - 13:24 nvd
UNKNOWN (no severity yet)

DescriptionCVE.org

WEBCON BPS is vulnerable to Reflected XSS via one of parameters used by "/openinmobileapp" endpoint. An attacker can send a specially crafted URL that, when opened by an authenticated user, results in arbitrary JavaScript execution in the victim's browser.

This issue was fixed in versions 2026.1.3.109 and 2025.2.1.293.

AnalysisAI

Reflected XSS in WEBCON BPS via the '/openinmobileapp' endpoint allows unauthenticated attackers to inject arbitrary JavaScript that executes in authenticated users' browsers when a crafted URL is opened. The vulnerability requires user interaction (clicking a link) but impacts session confidentiality and integrity. Vendor-released patches are available for versions 2026.1.3.109 and 2025.2.1.293.

Technical ContextAI

WEBCON BPS is a business process management platform. The '/openinmobileapp' endpoint fails to properly sanitize user-supplied parameters before reflecting them in HTTP responses, violating the principle of output encoding. This is a classic Reflected XSS vulnerability (CWE-79: Improper Neutralization of Input During Web Page Generation). The CVSS 4.0 vector indicates network-accessible attack surface (AV:N), low attack complexity (AC:L), and user interaction requirement (UI:A) - the user must click the malicious link. The impact is limited to the authenticated user's session scope (SC:L), affecting session integrity (SI:L) but not system-wide confidentiality or availability.

RemediationAI

Upgrade WEBCON BPS to version 2026.1.3.109 or later for the 2026 release line, or to version 2025.2.1.293 or later for the 2025 release line. Patches are available via the WEBCON community download portal (https://community.webcon.com/download/changelog/398 and https://community.webcon.com/download/changelog/394). No interim workarounds are documented. To mitigate risk during patching windows, restrict network access to WEBCON BPS administrative interfaces, disable user sharing of URLs to '/openinmobileapp' endpoints (via user awareness or network controls), and monitor server logs for suspicious parameter values in requests to this endpoint.

Share

CVE-2026-1630 vulnerability details – vuln.today

This site uses cookies essential for authentication and security. No tracking or analytics cookies are used. Privacy Policy