CVE-2026-1695 is an improper input neutralization vulnerability classified under CWE-79 (Cross-site Scripting) affecting the OAuth web services component of arcinfo's PcVue software versions 12.0.0 through 16.3.3. The flaw resides specifically in the error page generated by the OAuth server when authentication fails due to an unknown client_id parameter. Because the error page does not properly sanitize user-controllable input, an attacker can craft a malicious URL that, when visited by a legitimate user, causes the browser to execute attacker-controlled scripts. This can lead to the injection of arbitrary web content from external sites. The affected PcVue features include WebVue, WebScheduler, TouchVue, and SnapVue, which rely on OAuth for authentication. The vulnerability requires no authentication or privileges but does require user interaction, as the victim must visit the maliciously crafted URL. The CVSS 4.0 vector indicates network attack vector, low attack complexity, no privileges required, user interaction required, and low impact on confidentiality, integrity, and availability. No patches or known exploits are currently reported, but the vulnerability could be exploited for phishing, session hijacking, or other client-side attacks that leverage the victim's browser context within PcVue's web interfaces.

The primary impact of this vulnerability is the potential for attackers to execute arbitrary scripts in the context of a legitimate user's browser session when interacting with PcVue's OAuth error page. This can lead to theft of session tokens, redirection to malicious sites, or unauthorized actions performed on behalf of the user. While the vulnerability does not directly compromise the backend systems or data confidentiality, it undermines user trust and can facilitate social engineering attacks. Organizations relying on PcVue for industrial control or building management systems could face operational disruptions if attackers leverage this vulnerability to manipulate user sessions or inject misleading information. The requirement for user interaction limits automated exploitation, but targeted spear-phishing campaigns could increase risk. Since the affected features are web-based interfaces commonly used in industrial environments, the impact could extend to critical infrastructure sectors if exploited.

To mitigate CVE-2026-1695, organizations should first verify if they are running affected versions of PcVue (12.0.0 through 16.3.3). Although no official patches are currently listed, contacting arcinfo support for any available updates or workarounds is recommended. In the interim, organizations should implement strict input validation and output encoding on the OAuth error pages to neutralize malicious input. Deploying web application firewalls (WAFs) with rules to detect and block suspicious OAuth error page requests can reduce exposure. Educating users about the risks of clicking unknown or suspicious links related to authentication errors is critical. Additionally, monitoring logs for unusual OAuth error page access patterns may help detect exploitation attempts. Restricting access to PcVue web interfaces via network segmentation and VPNs can further reduce the attack surface. Finally, integrating multi-factor authentication (MFA) can limit the impact of session hijacking attempts stemming from this vulnerability.