CVE-2026-1695

MEDIUM

PcVue 12.0.0-16.3.3 - Cross-Site Scripting in OAuth Error Page

Title source: llm

Description

An XSS vulnerability affects the OAuth web services used by the WebVue, WebScheduler, TouchVue and SnapVue features of PcVue in version 12.0.0 through 16.3.3 included. It might allow a remote attacker to trick a legitimate user into loading content from another site upon unsuccessful user authentication on an unknown application (unknown client_id). This vulnerability only affects the error page of the OAuth server.

References (1)

Core 1

Core References

Various Sources vendor-advisory

https://www.pcvue.com/security/#SB2026-2

Scores

CVSS v3 6.1

EPSS 0.0021

EPSS Percentile 10.8%

Attack Vector NETWORK

CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:C/C:L/I:L/A:N

CISA SSVC

Vulnrichment

Exploitation none

Automatable no

Technical Impact partial

Details

CWE

CWE-79

Status published

Products (4)

arcinfo/PcVue 12.0.0

arcinfo/PcVue 15.0.0 - 15.2.13

arcinfo/PcVue 16.0.0 - 16.3.3

arcinformatique/pcvue 12.0.0 - 15.2.13

Published Feb 26, 2026

Tracked Since Feb 26, 2026