CVE-2026-1692

A missing origin validation in WebSockets vulnerability affects the GraphicalData web services used by the WebVue, WebScheduler, TouchVue and SnapVue features of PcVue in version 12.0.0 through 16.3.3 included. It might allow a remote attacker to lure a successfully authenticated user to a malicious website. This vulnerability only affects the following two endpoints: GraphicalData/js/signalR/connect and GraphicalData/js/signalR/reconnect.

CVSS v3 6.1 MEDIUM

6.1^/10

CVSS v3 : MEDIUM

Vector :

Exploitability : 2.8 / Impact : 2.7

Attack Vector NETWORK

Attack Complexity LOW

Privileges Required NONE

User Interaction REQUIRED

Confidentiality Impact LOW

Integrity Impact LOW

Availability Impact NONE

Scope CHANGED

References

Link	Resource
https://www.pcvue.com/security/#SB2026-2	Vendor Advisory

Configurations

Configuration 1 (hide)

OR	cpe:2.3:a:arcinformatique:pcvue::::::::
	cpe:2.3:a:arcinformatique:pcvue::::::::

History

No history.

Information

Published : 2026-02-26 08:16

Updated : 2026-03-12 14:20

NVD link : CVE-2026-1692

Mitre link : CVE-2026-1692

CVE.ORG link : CVE-2026-1692

JSON object : View

Products Affected

arcinformatique

pcvue

CWE

CWE-1385

Missing Origin Validation in WebSockets

{"id": "CVE-2026-1692", "cveTags": [], "metrics": {"cvssMetricV31": [{"type": "Primary", "source": "nvd@nist.gov", "cvssData": {"scope": "CHANGED", "version": "3.1", "baseScore": 6.1, "attackVector": "NETWORK", "baseSeverity": "MEDIUM", "vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:C/C:L/I:L/A:N", "integrityImpact": "LOW", "userInteraction": "REQUIRED", "attackComplexity": "LOW", "availabilityImpact": "NONE", "privilegesRequired": "NONE", "confidentialityImpact": "LOW"}, "impactScore": 2.7, "exploitabilityScore": 2.8}], "cvssMetricV40": [{"type": "Secondary", "source": "87c8e6ad-f0f5-4ca8-89e2-89f26d6ed932", "cvssData": {"Safety": "NOT_DEFINED", "version": "4.0", "Recovery": "USER", "baseScore": 5.3, "Automatable": "YES", "attackVector": "NETWORK", "baseSeverity": "MEDIUM", "valueDensity": "NOT_DEFINED", "vectorString": "CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:P/VC:L/VI:L/VA:N/SC:L/SI:L/SA:N/E:X/CR:X/IR:X/AR:X/MAV:X/MAC:X/MAT:X/MPR:X/MUI:X/MVC:X/MVI:X/MVA:X/MSC:X/MSI:X/MSA:X/S:X/AU:Y/R:U/V:X/RE:M/U:Clear", "exploitMaturity": "NOT_DEFINED", "providerUrgency": "CLEAR", "userInteraction": "PASSIVE", "attackComplexity": "LOW", "attackRequirements": "NONE", "privilegesRequired": "NONE", "subIntegrityImpact": "LOW", "vulnIntegrityImpact": "LOW", "integrityRequirement": "NOT_DEFINED", "modifiedAttackVector": "NOT_DEFINED", "subAvailabilityImpact": "NONE", "vulnAvailabilityImpact": "NONE", "availabilityRequirement": "NOT_DEFINED", "modifiedUserInteraction": "NOT_DEFINED", "modifiedAttackComplexity": "NOT_DEFINED", "subConfidentialityImpact": "LOW", "vulnConfidentialityImpact": "LOW", "confidentialityRequirement": "NOT_DEFINED", "modifiedAttackRequirements": "NOT_DEFINED", "modifiedPrivilegesRequired": "NOT_DEFINED", "modifiedSubIntegrityImpact": "NOT_DEFINED", "modifiedVulnIntegrityImpact": "NOT_DEFINED", "vulnerabilityResponseEffort": "MODERATE", "modifiedSubAvailabilityImpact": "NOT_DEFINED", "modifiedVulnAvailabilityImpact": "NOT_DEFINED", "modifiedSubConfidentialityImpact": "NOT_DEFINED", "modifiedVulnConfidentialityImpact": "NOT_DEFINED"}}]}, "published": "2026-02-26T08:16:18.160", "references": [{"url": "https://www.pcvue.com/security/#SB2026-2", "tags": ["Vendor Advisory"], "source": "87c8e6ad-f0f5-4ca8-89e2-89f26d6ed932"}], "vulnStatus": "Analyzed", "weaknesses": [{"type": "Secondary", "source": "87c8e6ad-f0f5-4ca8-89e2-89f26d6ed932", "description": [{"lang": "en", "value": "CWE-1385"}]}], "descriptions": [{"lang": "en", "value": "A missing origin validation in WebSockets vulnerability affects the GraphicalData web services used by the WebVue, WebScheduler, TouchVue and SnapVue features of PcVue in version 12.0.0 through 16.3.3 included. It might allow a remote attacker to lure a successfully authenticated user to a malicious website.\n\nThis vulnerability only affects the following two endpoints: GraphicalData/js/signalR/connect and GraphicalData/js/signalR/reconnect."}, {"lang": "es", "value": "Una vulnerabilidad de validaci\u00f3n de origen faltante en WebSockets afecta a los servicios web GraphicalData utilizados por las caracter\u00edsticas WebVue, WebScheduler, TouchVue y SnapVue de PcVue en la versi\u00f3n 12.0.0 hasta la 16.3.3 incluida. Podr\u00eda permitir a un atacante remoto atraer a un usuario autenticado con \u00e9xito a un sitio web malicioso.\n\nEsta vulnerabilidad solo afecta a los dos siguientes endpoints: GraphicalData/js/signalR/connect y GraphicalData/js/signalR/reconnect."}], "lastModified": "2026-03-12T14:20:44.147", "configurations": [{"nodes": [{"negate": false, "cpeMatch": [{"criteria": "cpe:2.3:a:arcinformatique:pcvue:*:*:*:*:*:*:*:*", "vulnerable": true, "matchCriteriaId": "991311B5-07A8-4CA5-9A07-17D0110128AF", "versionEndIncluding": "15.2.13", "versionStartIncluding": "12.0.0"}, {"criteria": "cpe:2.3:a:arcinformatique:pcvue:*:*:*:*:*:*:*:*", "vulnerable": true, "matchCriteriaId": "36C7C670-9A8E-49CD-A04C-8426A4C0C911", "versionEndExcluding": "16.3.4", "versionStartIncluding": "16.0.0"}], "operator": "OR"}]}], "sourceIdentifier": "87c8e6ad-f0f5-4ca8-89e2-89f26d6ed932"}