HTTP Host Header Injection Vulnerability in PcVue WebClient and WebScheduler
CVE-2026-1698

5.3MEDIUM

Key Information:

Vendor

Arcinfo

Status
Vendor
CVE Published:
26 February 2026

Badges

👾 Exploit Exists

What is CVE-2026-1698?

The vulnerability in PcVue’s WebClient and WebScheduler applications allows remote attackers to exploit HTTP Host header attacks. This occurs specifically in version 15.0.0 through 16.3.3, where an attacker can manipulate the server-side behavior via harmful payloads. Targeted endpoints include /Authentication/ExternalLogin, /Authentication/AuthorizationCodeCallback, and /Authentication/Logout. It is essential for users of these applications to apply security best practices and monitor for potential exploitation.

Affected Version(s)

PcVue 16.0.0 <= 16.3.3

PcVue 15.0.0 <= 15.2.13

References

CVSS V4

Score:
5.3
Severity:
MEDIUM
Confidentiality:
Low
Integrity:
None
Availability:
None
Attack Vector:
Network
Attack Complexity:
Low
Attack Required:
None
Privileges Required:
Undefined
User Interaction:
Unknown

Timeline

  • 👾

    Exploit known to exist

  • Vulnerability published

  • Vulnerability Reserved

.