CVE-2026-1698 is a medium severity HTTP Host header injection vulnerability affecting arcinfo's PcVue WebClient and WebScheduler web applications versions 15. 0. 0 through 16. 3. 3. The flaw exists in specific authentication-related endpoints, allowing remote attackers to inject malicious payloads that can manipulate server-side behavior. Exploitation requires no privileges but does require user interaction. The vulnerability stems from improper neutralization of HTTP headers (CWE-644), potentially enabling attacks such as web cache poisoning or cross-site scripting via header manipulation. No known exploits are currently reported in the wild. Organizations using affected PcVue versions should prioritize patching or mitigating this issue to prevent potential abuse.

CVE-2026-1698 is a vulnerability classified under CWE-644, which involves improper neutralization of HTTP headers for scripting syntax. This flaw affects arcinfo's PcVue product, specifically the WebClient and WebScheduler web applications in versions 15.0.0 through 16.3.3. The vulnerability resides in three authentication-related endpoints: /Authentication/ExternalLogin, /Authentication/AuthorizationCodeCallback, and /Authentication/Logout. An attacker can exploit this by sending crafted HTTP Host headers that are not properly sanitized by the server, allowing injection of malicious payloads. These payloads can manipulate server-side behavior, potentially leading to attacks such as web cache poisoning, cross-site scripting (XSS), or other header injection-based exploits. The vulnerability is remotely exploitable without requiring authentication but does require user interaction, such as clicking a malicious link. The CVSS 4.0 base score is 5.3, indicating a medium severity level, with network attack vector, low complexity, no privileges required, and user interaction needed. The impact primarily affects confidentiality and integrity, with limited availability impact. No patches or exploits are currently publicly available, but the vulnerability is published and should be addressed promptly. The flaw highlights the importance of proper input validation and neutralization of HTTP headers to prevent injection attacks in web applications, especially those handling authentication flows.

CVE Database V5

Detailed information about CVE-2026-1698: CWE-644 Improper Neutralization of HTTP Headers for Scripting Syntax in arcinfo PcVue affecting arcinfo PcVue. Get rea

CVE-2026-1698: CWE-644 Improper Neutralization of HTTP Headers for Scripting Syntax in arcinfo PcVue - Live Threat Intelligence - Threat Radar | OffSeq.com

CVE-2026-1698: CWE-644 Improper Neutralization of HTTP Headers for Scripting Syntax in arcinfo PcVue

CVE-2026-1697 is a medium severity vulnerability affecting arcinfo's PcVue versions 12. 0. 0 through 16. 3. 3. The issue arises because sensitive cookies used in the GraphicalData web services and WebClient web app lack the 'Secure' and 'SameSite' attributes. This omission can allow cookies to be transmitted over non-HTTPS connections or be susceptible to cross-site request forgery (CSRF) attacks, potentially exposing session information. The vulnerability has a CVSS 4. 0 base score of 5. 3, indicating moderate risk.

CVE-2026-1697 identifies a vulnerability in arcinfo's PcVue software, specifically versions 12.0.0 through 16.3.3, where sensitive session cookies used by the GraphicalData web services and WebClient web app are missing the 'Secure' and 'SameSite' attributes. The 'Secure' attribute ensures cookies are only sent over HTTPS connections, preventing interception over unsecured channels, while the 'SameSite' attribute mitigates cross-site request forgery (CSRF) by restricting cookie transmission in cross-origin requests. The absence of these attributes means that cookies could be transmitted over unencrypted HTTP connections or be vulnerable to CSRF attacks, potentially allowing attackers to hijack user sessions or perform unauthorized actions. The vulnerability is classified under CWE-614 (Sensitive Cookie Without 'Secure' Attribute) and CWE-1275 (Improper Restriction of Rendered UI Layers or Frames). The CVSS 4.0 vector indicates network attack vector (AV:N), low attack complexity (AC:L), no privileges required (PR:N), user interaction required (UI:P), and low impact on confidentiality and integrity but medium on availability. No patches are currently linked, and no exploits have been observed in the wild, but the risk remains due to the nature of session cookie handling in web applications. PcVue is widely used in industrial automation and SCADA systems, making this vulnerability relevant to critical infrastructure environments.

Detailed information about CVE-2026-1697: CWE-614 Sensitive Cookie in HTTPS Session Without 'Secure' Attribute in arcinfo PcVue affecting arcinfo PcVue. Get rea

CVE-2026-1697: CWE-614 Sensitive Cookie in HTTPS Session Without 'Secure' Attribute in arcinfo PcVue - Live Threat Intelligence - Threat Radar | OffSeq.com

CVE-2026-1697: CWE-614 Sensitive Cookie in HTTPS Session Without 'Secure' Attribute in arcinfo PcVue

CVE-2026-1696 is a low-severity cross-site scripting (XSS) vulnerability affecting arcinfo's PcVue versions 12. 0. 0, 15. 0. 0, and 16. 0. 0. The vulnerability arises because some HTTP security headers are not properly set by the web server, leading to improper neutralization of input during web page generation (CWE-79). Exploitation requires user interaction and has a high attack complexity, with no privileges or authentication needed. While no known exploits are currently in the wild, successful exploitation could allow attackers to execute malicious scripts in the context of the victim's browser, potentially leading to session hijacking or information disclosure.

CVE-2026-1696 is a cross-site scripting (XSS) vulnerability classified under CWE-79, found in arcinfo's PcVue software versions 12.0.0, 15.0.0, and 16.0.0. The root cause is the improper neutralization of input during web page generation, compounded by the web server's failure to properly set certain HTTP security headers in responses to client applications. This misconfiguration can allow malicious actors to inject and execute arbitrary scripts within the context of a user's browser session when interacting with the affected PcVue web interface. The vulnerability does not require authentication or privileges but does require user interaction, and the attack complexity is high, indicating that exploitation is not straightforward. The CVSS 4.0 vector indicates network attack vector, no privileges required, user interaction required, and low scope impact limited to confidentiality with no integrity or availability impact. No known exploits are currently reported in the wild, and no patches have been linked yet. The vulnerability highlights the importance of proper input validation and the implementation of HTTP security headers such as Content-Security-Policy, X-Content-Type-Options, and X-Frame-Options to reduce the risk of XSS attacks.

Detailed information about CVE-2026-1696: CWE-79 Improper Neutralization of Input During Web Page Generation (XSS or 'Cross-site Scripting') in arcinfo PcVue af

CVE-2026-1696: CWE-79 Improper Neutralization of Input During Web Page Generation (XSS or 'Cross-site Scripting') in arcinfo PcVue - Live Threat Intelligence - Threat Radar | OffSeq.com

CVE-2026-1696: CWE-79 Improper Neutralization of Input During Web Page Generation (XSS or 'Cross-site Scripting') in arcinfo PcVue

CVE-2026-1695 is a medium severity cross-site scripting (XSS) vulnerability in arcinfo's PcVue versions 12. 0. 0 through 16. 3. 3, affecting the OAuth web services used by WebVue, WebScheduler, TouchVue, and SnapVue features. The flaw exists in the OAuth server's error page, which improperly neutralizes input during web page generation, allowing a remote attacker to craft malicious content that could be loaded by legitimate users upon failed authentication with an unknown client_id. Exploitation requires no privileges but does require user interaction, specifically the user encountering the error page. Although no known exploits are currently in the wild, successful exploitation could lead to session hijacking, phishing, or other client-side attacks. The vulnerability has a CVSS 4. 0 score of 5.

CVE-2026-1695 is an XSS vulnerability classified under CWE-79 that affects the OAuth web services component of arcinfo's PcVue software, specifically versions 12.0.0 through 16.3.3. The vulnerability resides in the error page generated by the OAuth server when user authentication fails due to an unknown client_id. The error page fails to properly sanitize or neutralize user-controllable input, allowing an attacker to inject malicious scripts that execute in the context of the victim's browser. This flaw impacts the WebVue, WebScheduler, TouchVue, and SnapVue features, which rely on OAuth for authentication. The attack vector is remote and does not require any authentication or privileges, but it does require the user to interact with the error page triggered by a failed OAuth authentication attempt. The CVSS 4.0 base score of 5.3 indicates a medium severity, with network attack vector, low attack complexity, no privileges required, but user interaction necessary. The vulnerability could be exploited to execute arbitrary JavaScript, potentially leading to session hijacking, credential theft, or redirection to malicious sites. No public exploits or patches are currently available, but the flaw is publicly disclosed and should be addressed promptly. The scope is limited to the OAuth error page, which reduces the overall impact but still poses a risk to users interacting with the affected PcVue services.

Detailed information about CVE-2026-1695: CWE-79 Improper Neutralization of Input During Web Page Generation (XSS or 'Cross-site Scripting') in arcinfo PcVue af

CVE-2026-1695: CWE-79 Improper Neutralization of Input During Web Page Generation (XSS or 'Cross-site Scripting') in arcinfo PcVue - Live Threat Intelligence - Threat Radar | OffSeq.com

CVE-2026-1695: CWE-79 Improper Neutralization of Input During Web Page Generation (XSS or 'Cross-site Scripting') in arcinfo PcVue

CVE-2026-1694 is a low-severity vulnerability in arcinfo PcVue versions 12. 0. 0 through 16. 3. 3 where default IIS and ASP. net HTTP headers are not removed during deployment of certain web services. This results in unnecessary exposure of sensitive server configuration information via the WebVue, WebScheduler, TouchVue, and SnapVue features. The vulnerability does not allow direct exploitation to compromise confidentiality, integrity, or availability but could aid attackers in reconnaissance. No known exploits are currently reported in the wild. The vulnerability requires user interaction and has a high attack complexity, limiting its risk.

CVE-2026-1694 is a vulnerability classified under CWE-201 (Insertion of Sensitive Information into Sent Data) affecting arcinfo's PcVue software versions 12.0.0 through 16.3.3. PcVue is an industrial automation and SCADA software suite that includes web-based components such as WebVue, WebScheduler, TouchVue, and SnapVue. The vulnerability arises because the default configuration of IIS and ASP.net web servers adds HTTP headers that disclose sensitive server configuration details. These headers are not removed during the deployment phase of the affected PcVue web services, resulting in unnecessary exposure of internal server information to external users. This information leakage can provide attackers with reconnaissance data that may facilitate further targeted attacks. The vulnerability has a CVSS 4.0 base score of 2.3, reflecting its low severity. The attack vector is network-based and requires user interaction, with high attack complexity and no privileges required. There is no impact on confidentiality, integrity, or availability directly, and no known exploits have been reported in the wild. The lack of patch links suggests that mitigation relies on configuration changes rather than software updates. This issue highlights the importance of secure deployment practices, especially in industrial control system environments where PcVue is used.

Detailed information about CVE-2026-1694: CWE-201 Insertion of Sensitive Information into Sent Data in arcinfo PcVue affecting arcinfo PcVue. Get real-time upda

CVE-2026-1694: CWE-201 Insertion of Sensitive Information into Sent Data in arcinfo PcVue - Live Threat Intelligence - Threat Radar | OffSeq.com

CVE-2026-1694: CWE-201 Insertion of Sensitive Information into Sent Data in arcinfo PcVue

An issue in the exp_copy component of MonetDB Server v11.49.1 allows attackers to cause a Denial of Service (DoS) via crafted SQL statements.

Detailed information about CVE-2024-57634: n/a. Get real-time updates, technical details, and mitigation strategies.

CVE-2024-57634: n/a

CVE-2024-57634: n/a

Description

Technical Details

Community Reviews

Related Threats

CVE-2026-1698: CWE-644 Improper Neutralization of HTTP Headers for Scripting Syntax in arcinfo PcVue

CVE-2026-1697: CWE-614 Sensitive Cookie in HTTPS Session Without 'Secure' Attribute in arcinfo PcVue

CVE-2026-1696: CWE-79 Improper Neutralization of Input During Web Page Generation (XSS or 'Cross-site Scripting') in arcinfo PcVue

CVE-2026-1695: CWE-79 Improper Neutralization of Input During Web Page Generation (XSS or 'Cross-site Scripting') in arcinfo PcVue

CVE-2026-1694: CWE-201 Insertion of Sensitive Information into Sent Data in arcinfo PcVue

Actions

External Links

Need more coverage?

Latest Threats

Keyboard Shortcuts

Navigation

Search & Filters

UI Controls

Accessibility