CVE Catalog

CVE-2026-1692

MediumCVSS 6.1
Published: Updated: Translated: NVD NIST

Exploitation Probability (EPSS)

Low risk
0.11%

2th percentile - higher than 2% of all known CVEs

Summary

Missing origin validation in WebSockets in PcVue versions 12.0.0 through 16.3.3 (WebVue, WebScheduler, TouchVue, SnapVue) allows a remote attacker to lure an authenticated user to a malicious website. Only endpoints GraphicalData/js/signalR/connect and GraphicalData/js/signalR/reconnect are affected.

Risk Assessment

An attacker could exploit this to hijack sessions or perform unauthorized actions on behalf of the authenticated user, potentially leading to data leakage or system disruption.

Recommendation

Upgrade PcVue to a version later than 16.3.3 immediately. As a workaround, restrict access to the vulnerable endpoints via firewall rules or access control lists.

Original NVD description (English source)

A missing origin validation in WebSockets vulnerability affects the GraphicalData web services used by the WebVue, WebScheduler, TouchVue and SnapVue features of PcVue in version 12.0.0 through 16.3.3 included. It might allow a remote attacker to lure a successfully authenticated user to a malicious website. This vulnerability only affects the following two endpoints: GraphicalData/js/signalR/connect and GraphicalData/js/signalR/reconnect.

Vulnerability data from NVD (NIST) · CISA KEV · EPSS