PcVue, Missing Secure and SameSite Attributes, CVE-2026-1697 (Medium)

Listen to this Post

CVE-2026-1697 describes a vulnerability in PcVue versions 12.0.0 through 16.3.3, where the Secure and SameSite attributes are missing in the GraphicalData web services and WebClient web app. These attributes are critical for cookie security: the Secure flag ensures cookies are only sent over HTTPS, preventing interception in transit, while SameSite restricts cookie sending to same-site requests, mitigating Cross-Site Request Forgery (CSRF) attacks. Without them, cookies may be transmitted over unencrypted connections or during cross-origin requests, exposing session data to eavesdropping or CSRF. The vulnerability has a CVSS v4.0 base score of 5.3 (Medium) with vector CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:P/VC:L/VI:L/VA:N/SC:L/SI:L/SA:N/AU:Y/R:U/RE:M/U:Clear, indicating network attack vector, low complexity, no privileges required, but user interaction needed. It was published on 2026-02-26 and last modified on 2026-03-12 by arcinfo. Attackers could exploit this to perform session hijacking or CSRF, potentially leading to unauthorized actions on behalf of authenticated users.

dailycve form:

Platform: PcVue
Version: 12.0.0 – 16.3.3
Vulnerability: Missing Secure & SameSite
Severity: Medium
date: 2026-03-12

Prediction: 2026-04-30

What Undercode Say:

Showing bash commands and codes related to the blog

Check for missing Secure and SameSite attributes in cookies
curl -I -k https://target-pcvue-server/GraphicalData
Look for Set-Cookie header without Secure;SameSite flags
Test CSRF vulnerability using a malicious site
curl -X POST -d "action=delete&id=1" http://target-pcvue-server/WebClient -H "Cookie: session=abc123"

How Exploit:

  1. Attacker crafts a malicious site with CSRF payload targeting PcVue WebClient.
  2. Victim authenticated to PcVue visits attacker’s site, triggering unauthorized request.

3. Missing SameSite attribute allows cross-origin cookie transmission.

  1. Or, attacker on same network intercepts HTTP traffic to steal unsecured cookies.

Protection from this CVE

  • Upgrade to patched PcVue version when available.
  • Manually configure web server to enforce Secure and SameSite attributes for cookies.
  • Use HTTPS exclusively and enable HSTS.
  • Implement CSRF tokens in web applications.

Impact

  • Session hijacking via unencrypted cookie transmission.
  • Cross-Site Request Forgery leading to unauthorized actions.
  • Data integrity and confidentiality compromise for authenticated users.
  • Potential privilege escalation in industrial control contexts.

🎯Let’s Practice Exploiting & Learn Patching For Free:

Sources:

Reported By: nvd.nist.gov
Extra Source Hub:
Undercode

🔐JOIN OUR CYBER WORLD [ CVE News • HackMonitor • UndercodeNews ]

💬 Whatsapp | 💬 Telegram

📢 Follow DailyCVE & Stay Tuned:

𝕏 formerly Twitter 🐦 | @ Threads | 🔗 Linkedin Featured Image

Scroll to Top