CVE-2026-1630

Vulnerability

The vulnerability is a Reflected Cross-Site Scripting (XSS) in WEBCON BPS, affecting the /openinmobileapp endpoint via one of its parameters. This improper neutralization of user input (CWE-79) allows an attacker to inject arbitrary JavaScript. Affected versions are from 2026.1.1.45 below 2026.1.3.109 and from 2025.1.1.87 before 2025.2.1.293, as detailed in CERT Polska's advisory [1].

Exploitation

An attacker can send a specially crafted URL containing malicious script in the vulnerable parameter. The exploit requires no special privileges beyond the victim being an authenticated user of the WEBCON BPS application who clicks the link, leading to execution in their browser session [1].

Impact

Successful exploitation results in arbitrary JavaScript execution in the victim's browser within the context of the WEBCON BPS application. This can lead to information disclosure, session hijacking, or other actions performable by the victim's user account [1].

Mitigation

The vulnerability is fixed in WEBCON BPS versions 2026.1.3.109 and 2025.2.1.293. Administrators should update to these or later versions as soon as possible. No workarounds are mentioned in the available reference [1].