Severity by source
CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:A/VC:N/VI:N/VA:N/SC:L/SI:L/SA:N/E:X/CR:X/IR:X/AR:X/MAV:X/MAC:X/MAT:X/MPR:X/MUI:X/MVC:X/MVI:X/MVA:X/MSC:X/MSI:X/MSA:X/S:X/AU:X/R:X/V:X/RE:X/U:X
Primary rating from NVD · only source for this CVE.
CVSS VectorNVD
CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:A/VC:N/VI:N/VA:N/SC:L/SI:L/SA:N/E:X/CR:X/IR:X/AR:X/MAV:X/MAC:X/MAT:X/MPR:X/MUI:X/MVC:X/MVI:X/MVA:X/MSC:X/MSI:X/MSA:X/S:X/AU:X/R:X/V:X/RE:X/U:X
Lifecycle Timeline
5DescriptionCVE.org
WEBCON BPS is vulnerable to Reflected XSS via one of parameters used by "/openinmobileapp" endpoint. An attacker can send a specially crafted URL that, when opened by an authenticated user, results in arbitrary JavaScript execution in the victim's browser.
This issue was fixed in versions 2026.1.3.109 and 2025.2.1.293.
AnalysisAI
Reflected XSS in WEBCON BPS via the '/openinmobileapp' endpoint allows unauthenticated attackers to inject arbitrary JavaScript that executes in authenticated users' browsers when a crafted URL is opened. The vulnerability requires user interaction (clicking a link) but impacts session confidentiality and integrity. Vendor-released patches are available for versions 2026.1.3.109 and 2025.2.1.293.
Technical ContextAI
WEBCON BPS is a business process management platform. The '/openinmobileapp' endpoint fails to properly sanitize user-supplied parameters before reflecting them in HTTP responses, violating the principle of output encoding. This is a classic Reflected XSS vulnerability (CWE-79: Improper Neutralization of Input During Web Page Generation). The CVSS 4.0 vector indicates network-accessible attack surface (AV:N), low attack complexity (AC:L), and user interaction requirement (UI:A) - the user must click the malicious link. The impact is limited to the authenticated user's session scope (SC:L), affecting session integrity (SI:L) but not system-wide confidentiality or availability.
RemediationAI
Upgrade WEBCON BPS to version 2026.1.3.109 or later for the 2026 release line, or to version 2025.2.1.293 or later for the 2025 release line. Patches are available via the WEBCON community download portal (https://community.webcon.com/download/changelog/398 and https://community.webcon.com/download/changelog/394). No interim workarounds are documented. To mitigate risk during patching windows, restrict network access to WEBCON BPS administrative interfaces, disable user sharing of URLs to '/openinmobileapp' endpoints (via user awareness or network controls), and monitor server logs for suspicious parameter values in requests to this endpoint.
Same weakness CWE-79 – Cross-site Scripting (XSS)
View allShare
External POC / Exploit Code
Leaving vuln.today
EUVD-2026-30279
GHSA-r6h3-9v4w-m3wg