CVE-2026-1692
Missing Origin Validation in PcVue WebSockets Enables CSRF Attack
Publication date: 2026-02-26
Last updated on: 2026-03-12
Assigner: arcinfo
Description
Description
CVSS Scores
EPSS Scores
| Probability: | |
| Percentile: |
Meta Information
Affected Vendors & Products
| Vendor | Product | Version / Range |
|---|---|---|
| arcinformatique | pcvue | From 16.0.0 (inc) to 16.3.4 (exc) |
| arcinformatique | pcvue | From 12.0.0 (inc) to 15.2.13 (inc) |
Helpful Resources
Exploitability
| CWE ID | Description |
|---|---|
| CWE-1385 | The product uses a WebSocket, but it does not properly verify that the source of data or communication is valid. |
Attack-Flow Graph
AI Powered Q&A
Can you explain this vulnerability to me?
This vulnerability is a missing origin validation issue in the WebSockets implementation of the GraphicalData web services used by several PcVue features including WebVue, WebScheduler, TouchVue, and SnapVue in versions 12.0.0 through 16.3.3.
Because the origin of WebSocket connections is not properly validated, a remote attacker could trick an authenticated user into visiting a malicious website that could exploit this flaw.
The vulnerability specifically affects two endpoints: GraphicalData/js/signalR/connect and GraphicalData/js/signalR/reconnect.
How can this vulnerability impact me? :
This vulnerability might allow a remote attacker to lure a successfully authenticated user to a malicious website, potentially leading to unauthorized actions or data exposure through the affected WebSocket endpoints.
Since the attacker can exploit the missing origin validation, it could result in cross-site WebSocket hijacking or other attacks that leverage the user's authenticated session.
How does this vulnerability affect compliance with common standards and regulations (like GDPR, HIPAA)?:
I don't know
How can this vulnerability be detected on my network or system? Can you suggest some commands?
I don't know
What immediate steps should I take to mitigate this vulnerability?
I don't know