CVE-2026-1692
Received Received - Intake
Missing Origin Validation in PcVue WebSockets Enables CSRF Attack

Publication date: 2026-02-26

Last updated on: 2026-03-12

Assigner: arcinfo

Description
A missing origin validation in WebSockets vulnerability affects the GraphicalData web services used by the WebVue, WebScheduler, TouchVue and SnapVue features of PcVue in version 12.0.0 through 16.3.3 included. It might allow a remote attacker to lure a successfully authenticated user to a malicious website. This vulnerability only affects the following two endpoints: GraphicalData/js/signalR/connect and GraphicalData/js/signalR/reconnect.
CVSS Scores
EPSS Scores
Probability:
Percentile:
Meta Information
Published
2026-02-26
Last Modified
2026-03-12
Generated
2026-06-16
AI Q&A
2026-02-26
EPSS Evaluated
2026-06-14
NVD
CVE-2026-1692
EUVD
EUVD-2026-8836
Affected Vendors & Products
Showing 2 associated CPEs
Vendor Product Version / Range
arcinformatique pcvue From 16.0.0 (inc) to 16.3.4 (exc)
arcinformatique pcvue From 12.0.0 (inc) to 15.2.13 (inc)
Helpful Resources
Exploitability
CWE
CWE Icon
KEV
KEV Icon
CWE ID Description
CWE-1385 The product uses a WebSocket, but it does not properly verify that the source of data or communication is valid.
Attack-Flow Graph
AI Quick Actions
Instant insights powered by AI
Executive Summary

This vulnerability is a missing origin validation issue in the WebSockets implementation of the GraphicalData web services used by several PcVue features including WebVue, WebScheduler, TouchVue, and SnapVue in versions 12.0.0 through 16.3.3.

Because the origin of WebSocket connections is not properly validated, a remote attacker could trick an authenticated user into visiting a malicious website that could exploit this flaw.

The vulnerability specifically affects two endpoints: GraphicalData/js/signalR/connect and GraphicalData/js/signalR/reconnect.

Impact Analysis

This vulnerability might allow a remote attacker to lure a successfully authenticated user to a malicious website, potentially leading to unauthorized actions or data exposure through the affected WebSocket endpoints.

Since the attacker can exploit the missing origin validation, it could result in cross-site WebSocket hijacking or other attacks that leverage the user's authenticated session.

Compliance Impact

I don't know

Detection Guidance

I don't know

Mitigation Strategies

I don't know

Chat Assistant
Ask questions about this CVE
Hi! I’m here to help you understand CVE-2026-1692. Ask me anything about the vulnerability, its impact, or mitigation strategies.
0/70
EPSS Chart