Description
Some HTTP security headers are not properly set by the web server when sending responses to the client application.
Published: 2026-02-26
Score: 2.3 Low
EPSS: < 1% Very Low
KEV: No
Impact: Missing HTTP security headers can enable client‑side attacks such as cross‑site scripting or click‑jacking in web interfaces.
Action: Apply patch
AI Analysis

Impact

The vulnerability arises because the web server does not set several HTTP security headers that are recommended for protecting browser clients. Without these headers, standard browser defenses are weakened, allowing an attacker to potentially execute malicious scripts or manipulate page framing if integrated content is compromised.

Affected Systems

Arcinfo’s PcVue control‑system software is affected, specifically the Web Deployment Console component in build 15.2.14 (build 15.2.14900.37147) and build 16.3.4 (build 16.3.4902.3112). Earlier releases that expose a web interface are presumed to share the same issue, though the vendor has only enumerated the two patches above.

Risk and Exploitability

The CVSS score of 2.3 indicates low severity, and the EPSS score of less than 1 % suggests a very low probability of exploitation. The vulnerability is not listed in the CISA KEV catalog. Exploitation requires an attacker to reach the web server hosting PcVue’s web or mobile interfaces; missing headers alone do not provide remote code execution on the host.

Generated by OpenCVE AI on April 17, 2026 at 14:24 UTC.

Remediation

Vendor Solution

Harden the configuration Who should apply this recommendation: All users To reduce the risk of exploitation, ARC Informatique strongly recommends implementing the following defensive measures: * Minimize network exposure for all control system devices and/or systems, and ensure they are not accessible from insecure networks. * Locate control system networks and remote devices behind firewalls and isolate them from business networks. * When remote access is required, use secure methods, such as Virtual Private Networks (VPNs), recognizing VPNs may have vulnerabilities and should be updated to the most current version available. Also recognize VPN is only as secure as its connected devices. Uninstall the Web Server Who should apply this recommendation: All users not using the affected component If your system does not require the use of the Web & Mobile features, you should make sure not to install them. If your system requires the use of the Web & Mobile features, they should be installed only on the Web Server. See the product help related to the installation for more information. Update IIS configuration – manually update HTTP headers Who should apply this recommendation: All users running affected components. As a quick mitigation for the unnecessary and missing HTTP headers, you can disable default headers and add secure HTTP headers for all requests. Those options can be set via the web.config file located on the IIS by following those steps: * Open the file C:\inetpub\<SV Website>\web.config * Add the following entries to the section customHeaders, which are the recommendations from the official OWASP site: <remove name="X-Powered-By" /> <add name="X-Frame-Options" value="DENY" /> <add name="X-XSS-Protection" value="0" /> <add name="X-Content-Type-Options" value="nosniff" /> <add name="X-DNS-Prefetch-Control" value="off" /> <add name="Cross-Origin-Opener-Policy" value="same-origin" /> <add name="Cross-Origin-Embedder-Policy" value="require-corp" /> <add name="Cross-Origin-Resource-Policy" value="same-site" /> <add name="Referrer-Policy" value="strict-origin-when-cross-origin" /> <add name="Strict-Transport-Security" value="max-age=63072000; includeSubDomains; preload" /> <add name="Permissions-Policy" value="geolocation=(), camera=(), microphone=()" /> Update the Web Deployment Console (WDC) and re deploy the Web Server Who should apply this recommendation: All users running affected components. Install a patched release of the Web Deployment Console (WDC) on the IIS Web server and use it to re-deploy the Web Site. Some settings might need to be updated if third-party web apps or services depend on the OAuth ROPC flow. In a patched release of the WDC, new settings are available for each authorized Client to enable or disable: * The Authorization Code flow * The Authorization Code flow with PKCE * The Resource Owner Password Credentials (ROPC) flow By default, all the OAuth flows are now disabled for third-party web apps and need to be manually enabled before deployment if required. To verify that the patch is applied correctly, you must check that: * The File version property of the file ./bin/Modules/WebDeployment/WebDeploymentConsole.exe matches the deployed release or later, and ensure that any earlier release is no longer used; * Web Sites have been redeployed; * OAuth flow are correctly set for each authorized Client. Available patches: Patch provided in: * PcVue 16.3.4 (16.3.4902.3112) * PcVue 15.2.14 (15.2.14900.37147)

OpenCVE Recommended Actions

  • Apply the patched Web Deployment Console release (16.3.4 or 15.2.14) and redeploy the web server to apply the missing headers automatically.
  • If the Web Server component is not required, uninstall it to remove the vulnerable functionality.
  • For systems that must keep the Web Server, manually add the recommended secure header entries to the IIS web.config file to enforce security policies.
  • Restrict exposure of the control‑system web interfaces by placing them behind dedicated firewalls, limiting inbound ports, and using VPN or other secure remote access methods.

Generated by OpenCVE AI on April 17, 2026 at 14:24 UTC.

Tracking

Sign in to view the affected projects.

Advisories

No advisories yet.

References
Link Providers
https://www.pcvue.com/security/#SB2026-2 cve-icon cve-icon
History

Thu, 12 Mar 2026 14:30:00 +0000

Type Values Removed Values Added
First Time appeared Arcinformatique
Arcinformatique pcvue
CPEs cpe:2.3:a:arcinformatique:pcvue:*:*:*:*:*:*:*:*
Vendors & Products Arcinformatique
Arcinformatique pcvue
Metrics cvssV3_1

{'score': 6.1, 'vector': 'CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:C/C:L/I:L/A:N'}

Thu, 26 Feb 2026 15:15:00 +0000

Type Values Removed Values Added
Metrics ssvc

{'options': {'Automatable': 'no', 'Exploitation': 'none', 'Technical Impact': 'partial'}, 'version': '2.0.3'}

Thu, 26 Feb 2026 08:15:00 +0000

Type Values Removed Values Added
Description Some HTTP security headers are not properly set by the web server when sending responses to the client application.
Title Missing security HTTP headers
First Time appeared Arcinfo
Arcinfo pcvue
Weaknesses CWE-79
CPEs cpe:2.3:a:arcinfo:pcvue:*:*:*:*:*:*:*:*
cpe:2.3:a:arcinfo:pcvue:12.0.0:*:*:*:*:*:*:*
Vendors & Products Arcinfo
Arcinfo pcvue
References
Metrics cvssV4_0

{'score': 2.3, 'vector': 'CVSS:4.0/AV:N/AC:H/AT:N/PR:N/UI:P/VC:N/VI:N/VA:N/SC:L/SI:N/SA:N/AU:Y/R:U/RE:M/U:Clear'}

Subscriptions

Arcinfo Pcvue
Arcinformatique Pcvue
cve-icon MITRE

Status: PUBLISHED

Assigner: arcinfo

Published:

Updated: 2026-03-26T08:23:46.958Z

Reserved: 2026-01-30T08:38:07.602Z

Link: CVE-2026-1696

cve-icon Vulnrichment

Updated: 2026-02-26T14:33:05.832Z

cve-icon NVD

Status : Analyzed

Published: 2026-02-26T08:16:19.323

Modified: 2026-03-12T14:26:15.187

Link: CVE-2026-1696

cve-icon Redhat

No data.

cve-icon OpenCVE Enrichment

Updated: 2026-04-17T14:30:20Z

Weaknesses