CVE-2026-1692
MediumCVSS 6.1Exploitation Probability (EPSS)
Low risk2th percentile - higher than 2% of all known CVEs
Summary
Missing origin validation in WebSockets in PcVue versions 12.0.0 through 16.3.3 (WebVue, WebScheduler, TouchVue, SnapVue) allows a remote attacker to lure an authenticated user to a malicious website. Only endpoints GraphicalData/js/signalR/connect and GraphicalData/js/signalR/reconnect are affected.
Risk Assessment
An attacker could exploit this to hijack sessions or perform unauthorized actions on behalf of the authenticated user, potentially leading to data leakage or system disruption.
Recommendation
Upgrade PcVue to a version later than 16.3.3 immediately. As a workaround, restrict access to the vulnerable endpoints via firewall rules or access control lists.
Original NVD description (English source)
A missing origin validation in WebSockets vulnerability affects the GraphicalData web services used by the WebVue, WebScheduler, TouchVue and SnapVue features of PcVue in version 12.0.0 through 16.3.3 included. It might allow a remote attacker to lure a successfully authenticated user to a malicious website. This vulnerability only affects the following two endpoints: GraphicalData/js/signalR/connect and GraphicalData/js/signalR/reconnect.

