CVE-2026-1692
Received Received - Intake

Missing Origin Validation in PcVue WebSockets Enables CSRF Attack

Vulnerability report for CVE-2026-1692, including description, CVSS score, EPSS score, affected products, exploitability, helpful resources, and attack-flow context.

Publication date: 2026-02-26

Last updated on: 2026-03-12

Assigner: arcinfo

Description

A missing origin validation in WebSockets vulnerability affects the GraphicalData web services used by the WebVue, WebScheduler, TouchVue and SnapVue features of PcVue in version 12.0.0 through 16.3.3 included. It might allow a remote attacker to lure a successfully authenticated user to a malicious website. This vulnerability only affects the following two endpoints: GraphicalData/js/signalR/connect and GraphicalData/js/signalR/reconnect.

CVSS Scores

EPSS Scores

Probability:
Percentile:

Meta Information

Published
2026-02-26
Last Modified
2026-03-12
Generated
2026-07-06
AI Q&A
2026-02-26
EPSS Evaluated
2026-07-05
NVD
EUVD

Affected Vendors & Products

Showing 2 associated CPEs
Vendor Product Version / Range
arcinformatique pcvue From 16.0.0 (inc) to 16.3.4 (exc)
arcinformatique pcvue From 12.0.0 (inc) to 15.2.13 (inc)

Helpful Resources

Exploitability

CWE
CWE Icon
KEV
KEV Icon
CWE ID Description
CWE-1385 The product uses a WebSocket, but it does not properly verify that the source of data or communication is valid.

Attack-Flow Graph

AI Quick Actions

Instant insights powered by AI
Executive Summary

This vulnerability is a missing origin validation issue in the WebSockets implementation of the GraphicalData web services used by several PcVue features including WebVue, WebScheduler, TouchVue, and SnapVue in versions 12.0.0 through 16.3.3.

Because the origin of WebSocket connections is not properly validated, a remote attacker could trick an authenticated user into visiting a malicious website that could exploit this flaw.

The vulnerability specifically affects two endpoints: GraphicalData/js/signalR/connect and GraphicalData/js/signalR/reconnect.

Impact Analysis

This vulnerability might allow a remote attacker to lure a successfully authenticated user to a malicious website, potentially leading to unauthorized actions or data exposure through the affected WebSocket endpoints.

Since the attacker can exploit the missing origin validation, it could result in cross-site WebSocket hijacking or other attacks that leverage the user's authenticated session.

Compliance Impact

I don't know

Detection Guidance

I don't know

Mitigation Strategies

I don't know

Chat Assistant

Ask questions about this CVE
Hi! I’m here to help you understand CVE-2026-1692. Ask me anything about the vulnerability, its impact, or mitigation strategies.
0/70

EPSS Chart