Description
WEBCON BPS is vulnerable to Reflected XSS via one of parameters used by "/openinmobileapp" endpoint. An attacker can send a specially crafted URL that, when opened by an authenticated user, results in arbitrary JavaScript execution in the victim's browser.

This issue was fixed in versions 2026.1.3.109 and 2025.2.1.293.
Published: 2026-05-14
Score: 5.1 Medium
EPSS: n/a
KEV: No
Impact: n/a
Action: n/a
AI Analysis

Impact

WEBCON BPS contains a reflected cross‑site scripting flaw in the "/openinmobileapp" endpoint. A crafted URL containing malicious input is reflected back into the page, allowing an attacker to inject and execute arbitrary JavaScript in the victim’s browser. The flaw is identified as a CWE‑79 vulnerability and can compromise the confidentiality and integrity of the user session if exploited.

Affected Systems

The affected product is WEBCON BPS. Versions prior to 2026.1.3.109 and 2025.2.1.293 are vulnerable, as the issue was resolved in those releases. Any deployment of older WEBCON BPS versions is at risk.

Risk and Exploitability

The CVSS score of 5.1 indicates a moderate severity. The EPSS score is not available, so the likelihood of exploitation cannot be quantified. The vulnerability is not listed in the CISA KEV catalog. Exploitation requires an authenticated user to click a malicious link; the attacker can then execute code within the victim’s browser, potentially hijacking sessions or collecting sensitive data. The attack vector is likely via phishing or social‑engineering campaigns that embed malicious URLs.

Generated by OpenCVE AI on May 14, 2026 at 15:05 UTC.

Remediation

No vendor fix or workaround currently provided.

OpenCVE Recommended Actions

  • Update WEBCON BPS to at least version 2026.1.3.109 or 2025.2.1.293.
  • If an immediate upgrade is not possible, disable or restrict the /openinmobileapp endpoint for unauthenticated users or validate and sanitize all query parameters before use.
  • If disabling the endpoint is not feasible, ensure server‑side input validation or implement whitelist checks for the parameters used by the /openinmobileapp endpoint.

Generated by OpenCVE AI on May 14, 2026 at 15:05 UTC.

Tracking

Sign in to view the affected projects.

Advisories

No advisories yet.

History

Thu, 14 May 2026 16:30:00 +0000

Type Values Removed Values Added
Metrics ssvc

{'options': {'Automatable': 'no', 'Exploitation': 'none', 'Technical Impact': 'partial'}, 'version': '2.0.3'}

Thu, 14 May 2026 13:30:00 +0000

Type Values Removed Values Added
Description WEBCON BPS is vulnerable to Reflected XSS via one of parameters used by "/openinmobileapp" endpoint. An attacker can send a specially crafted URL that, when opened by an authenticated user, results in arbitrary JavaScript execution in the victim's browser. This issue was fixed in versions 2026.1.3.109 and 2025.2.1.293.
Title Reflected XSS in WEBCON BPS
Weaknesses CWE-79
References
Metrics cvssV4_0

{'score': 5.1, 'vector': 'CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:A/VC:N/VI:N/VA:N/SC:L/SI:L/SA:N'}

Subscriptions

No data.

cve-icon MITRE

Status: PUBLISHED

Assigner: CERT-PL

Published:

Updated: 2026-05-14T15:19:00.384Z

Reserved: 2026-01-29T15:28:27.272Z

Link: CVE-2026-1630

cve-icon Vulnrichment

Updated: 2026-05-14T15:18:11.519Z

cve-icon NVD

Status : Deferred

Published: 2026-05-14T14:16:16.537

Modified: 2026-05-14T16:07:11.137

Link: CVE-2026-1630

cve-icon Redhat

No data.

cve-icon OpenCVE Enrichment

Updated: 2026-05-14T15:15:23Z

Weaknesses