Pcvue
CVE-2026-1693
MEDIUM
Severity by source
CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:P/VC:L/VI:N/VA:N/SC:L/SI:N/SA:N/E:X/CR:X/IR:X/AR:X/MAV:X/MAC:X/MAT:X/MPR:X/MUI:X/MVC:X/MVI:X/MVA:X/MSC:X/MSI:X/MSA:X/S:X/AU:Y/R:U/V:X/RE:M/U:Clear
Primary rating from Vendor (87c8e6ad-f0f5-4ca8-89e2-89f26d6ed932) · only source for this CVE.
CVSS VectorVendor: 87c8e6ad-f0f5-4ca8-89e2-89f26d6ed932
CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:P/VC:L/VI:N/VA:N/SC:L/SI:N/SA:N/E:X/CR:X/IR:X/AR:X/MAV:X/MAC:X/MAT:X/MPR:X/MUI:X/MVC:X/MVI:X/MVA:X/MSC:X/MSI:X/MSA:X/S:X/AU:Y/R:U/V:X/RE:M/U:Clear
Lifecycle Timeline
4DescriptionCVE.org
The OAuth grant type Resource Owner Password Credentials (ROPC) flow is still used by the werbservices used by the WebVue, WebScheduler, TouchVue and Snapvue features of PcVue in version 12.0.0 through 16.3.3 included despite being deprecated. It might allow a remote attacker to steal user credentials.
AnalysisAI
PcVue versions 12.0.0 through 16.3.3 use the deprecated OAuth Resource Owner Password Credentials flow in their web services, enabling remote attackers to steal user credentials without authentication or user interaction. The vulnerability affects WebVue, WebScheduler, TouchVue, and Snapvue components and carries a high severity rating with no patch currently available.
Technical ContextAI
Affects Pcvue. The OAuth grant type Resource Owner Password Credentials (ROPC) flow is still used by the werbservices used by the WebVue, WebScheduler, TouchVue and Snapvue features of PcVue in version 12.0.0 through 16.3.3 included despite being deprecated. It might allow a remote attacker to steal user credentials.
RemediationAI
Monitor vendor advisories for a patch. Restrict network access to the affected service where possible.
ARC Informatique PcVue prior to version 12.0.17 is vulnerable due to the deserialization of untrusted data, which may al
Privilege escalation in ARC Informatique PcVue SCADA/HMI software (all versions prior to 17.0.0) arises because the encr
ARC Informatique PcVue prior to version 12.0.17 is vulnerable to a denial-of-service attack due to the ability of an una
ARC Informatique PcVue prior to version 12.0.17 is vulnerable to information exposure, allowing unauthorized users to ac
Insecure credential storage in PcVue exposes built-in user account passwords to any local attacker with low-privileged f
An insertion of sensitive information into log file vulnerability exists in PcVue versions 15 through 15.2.2. Rated medi
The affected device stores sensitive information in cleartext, which may allow an authenticated user to access session d
A cleartext storage of sensitive information vulnerability exists in PcVue versions 8.10 through 15.2.3. Rated medium se
Cross-site scripting (XSS) in PcVue's OAuth error page (versions 12.0.0-16.3.3) allows remote attackers to inject malici
PcVue versions 15.0.0 through 16.3.3 are vulnerable to HTTP Host header injection in the WebClient and WebScheduler auth
PcVue versions 12.0.0 through 16.3.3 lack origin validation on WebSocket connections in the GraphicalData service, enabl
PcVue versions 12.0.0 through 16.3.3 lack Secure and SameSite cookie attributes in the GraphicalData web services and We
Same weakness CWE-477 – Use of Obsolete Function
View allSame technique Information Disclosure
View allShare
External POC / Exploit Code
Leaving vuln.today