CVE-2026-1695 is an XSS vulnerability classified under CWE-79 that affects the OAuth web services component of arcinfo's PcVue software, specifically versions 12.0.0 through 16.3.3. The vulnerability resides in the error page generated by the OAuth server when user authentication fails due to an unknown client_id. The error page fails to properly sanitize or neutralize user-controllable input, allowing an attacker to inject malicious scripts that execute in the context of the victim's browser. This flaw impacts the WebVue, WebScheduler, TouchVue, and SnapVue features, which rely on OAuth for authentication. The attack vector is remote and does not require any authentication or privileges, but it does require the user to interact with the error page triggered by a failed OAuth authentication attempt. The CVSS 4.0 base score of 5.3 indicates a medium severity, with network attack vector, low attack complexity, no privileges required, but user interaction necessary. The vulnerability could be exploited to execute arbitrary JavaScript, potentially leading to session hijacking, credential theft, or redirection to malicious sites. No public exploits or patches are currently available, but the flaw is publicly disclosed and should be addressed promptly. The scope is limited to the OAuth error page, which reduces the overall impact but still poses a risk to users interacting with the affected PcVue services.

The primary impact of CVE-2026-1695 is on the confidentiality and integrity of user sessions within PcVue's OAuth-enabled features. An attacker exploiting this XSS vulnerability can execute arbitrary scripts in the context of a legitimate user's browser, potentially stealing session tokens, redirecting users to phishing sites, or performing actions on behalf of the user. This could lead to unauthorized access to sensitive industrial control or monitoring data managed by PcVue, which is often used in critical infrastructure environments. While the availability impact is limited, the compromise of user credentials or session tokens can have cascading effects on operational security. Since the vulnerability affects multiple PcVue features widely used in industrial automation and building management, organizations worldwide relying on these systems could face targeted attacks. The lack of authentication requirements for exploitation increases the risk, although user interaction is necessary. The medium severity rating reflects a moderate but non-trivial risk, especially in environments where PcVue is integrated with critical operational technology (OT) systems.

Organizations should monitor arcinfo's advisories for official patches addressing CVE-2026-1695 and apply them promptly once released. In the interim, administrators can mitigate risk by implementing strict Content Security Policies (CSP) to restrict the execution of unauthorized scripts on OAuth error pages. Input validation and output encoding should be reviewed and enhanced in custom deployments or integrations involving PcVue's OAuth services. Network-level protections such as Web Application Firewalls (WAFs) can be configured to detect and block typical XSS payloads targeting the OAuth error page. User education is also important to reduce the risk of social engineering attacks leveraging this vulnerability. Additionally, restricting access to PcVue's web interfaces to trusted networks and enforcing multi-factor authentication (MFA) can reduce the attack surface. Logging and monitoring for unusual OAuth authentication failures and suspicious requests to the error page can help detect exploitation attempts early.