QwikSec

Security Database

CVE

CWE

Training

CVE-2026-1630

Published: May 14, 2026

Modified: May 14, 2026

PUBLISHED

Description

WEBCON BPS is vulnerable to Reflected XSS via one of parameters used by "/openinmobileapp" endpoint. An attacker can send a specially crafted URL that, when opened by an authenticated user, results in arbitrary JavaScript execution in the victim's browser. This issue was fixed in versions 2026.1.3.109 and 2025.2.1.293.

Vendor	Product	Versions
WEBCON	WEBCON BPS	affected `2026.1.1.45 - < 2026.1.3.109` affected `2025.1.1.87 - < 2025.2.1.293`

Weaknesses (CWE)

References

https://cert.pl/en/posts/2026/05/CVE-2026-1630/

third-party-advisory

https://community.webcon.com/download/changelog/398?q=db746ec

release-notes

https://community.webcon.com/download/changelog/394?q=6a8b113

release-notes

Security Training

Train your team to recognize and prevent security threats with our comprehensive security awareness program.

Vulnerability Scanning

Discover vulnerabilities in your applications and infrastructure before attackers do.