WEBCON BPS is vulnerable to Reflected XSS via one of parameters used by "/openinmobileapp" endpoint.Β An attacker can send a specially crafted URL that, when opened by an authenticated user, results in arbitrary JavaScript execution in the victim's browser. This issue was fixed in versions 2026.1.3.109 and 2025.2.1.293.
Get an AI-powered plain-language explanation of this vulnerability and remediation steps.
Login to generate AI explanation3 reference(s) from NVD