CVE Catalog

CVE-2026-1695

MediumCVSS 6.1
Published: Updated: Translated: NVD NIST

Exploitation Probability (EPSS)

Low risk
0.21%

11th percentile - higher than 11% of all known CVEs

Summary

An XSS vulnerability in PcVue OAuth services (versions 12.0.0–16.3.3) allows a remote attacker to inject malicious code into the OAuth server error page. The attack requires tricking an authenticated user into loading content from an external site after a failed login.

Risk Assessment

The risk involves potential session theft or credential harvesting by hijacking the victim's browser context. This could lead to unauthorized SCADA system access and manipulation of industrial processes.

Recommendation

Immediately upgrade PcVue to version 16.3.4 or later which includes the fix. Until patched, restrict access to OAuth error pages from untrusted IP addresses.

Original NVD description (English source)

An XSS vulnerability affects the OAuth web services used by the WebVue, WebScheduler, TouchVue and SnapVue features of PcVue in version 12.0.0 through 16.3.3 included. It might allow a remote attacker to trick a legitimate user into loading content from another site upon unsuccessful user authentication on an unknown application (unknown client_id). This vulnerability only affects the error page of the OAuth server.

Vulnerability data from NVD (NIST) · CISA KEV · EPSS