ByteOS Network

NVD Vulnerability Details :

CVE-2026-1630

Deferred

Source-cvd@cert.pl

Published At-14 May, 2026 | 14:16

Updated At-14 May, 2026 | 16:07

WEBCON BPS is vulnerable to Reflected XSS via one of parameters used by "/openinmobileapp" endpoint. An attacker can send a specially crafted URL that, when opened by an authenticated user, results in arbitrary JavaScript execution in the victim's browser. This issue was fixed in versions 2026.1.3.109 and 2025.2.1.293.

Date Added	Due Date	Vulnerability Name	Required Action
	N/A

Metrics

Type	Version	Base score	Base severity	Vector
Secondary	4.0	5.1	MEDIUM	CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:A/VC:N/VI:N/VA:N/SC:L/SI:L/SA:N/E:X/CR:X/IR:X/AR:X/MAV:X/MAC:X/MAT:X/MPR:X/MUI:X/MVC:X/MVI:X/MVA:X/MSC:X/MSI:X/MSA:X/S:X/AU:X/R:X/V:X/RE:X/U:X

Type: Secondary

Version: 4.0

Base score: 5.1

Base severity: MEDIUM

Vector:

CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:A/VC:N/VI:N/VA:N/SC:L/SI:L/SA:N/E:X/CR:X/IR:X/AR:X/MAV:X/MAC:X/MAT:X/MPR:X/MUI:X/MVC:X/MVI:X/MVA:X/MSC:X/MSI:X/MSA:X/S:X/AU:X/R:X/V:X/RE:X/U:X

Weaknesses

CWE ID	Type	Source
CWE-79	Primary	cvd@cert.pl

CWE ID: CWE-79

Type: Primary

Source: cvd@cert.pl

References

Hyperlink	Source	Resource
https://cert.pl/en/posts/2026/05/CVE-2026-1630/	cvd@cert.pl	N/A
https://community.webcon.com/download/changelog/394?q=6a8b113	cvd@cert.pl	N/A
https://community.webcon.com/download/changelog/398?q=db746ec	cvd@cert.pl	N/A