🔐 CVE Alert

CVE-2026-14480

CRITICAL 9.9

OpenPLC v3 External Control of File Name or Path

CVSS Score
9.9
EPSS Score
0.6%
EPSS Percentile
45th

OpenPLC Runtime v3 contains an authenticated arbitrary file write vulnerability in the legacy web UI program‑upload workflow. The application stores an attacker‑supplied filename (prog_file) directly into the Programs.File database field and later uses this value as the destination path for an uploaded file without validating or restricting the path. Because Python os.path.join() honors attacker‑controlled absolute paths, an authenticated user can write arbitrary files anywhere writable by the OpenPLC webserver process. In the default build pipeline, all C++ source files within the OpenPLC runtime core directory are automatically compiled into the executable runtime binary. By writing a malicious .cpp file into this directory, an authenticated attacker can escalate the arbitrary file write into arbitrary native code execution when the operator triggers a normal program compilation and runtime start.

CWE CWE-73
Vendor openplc
Product openplc
Published Jul 10, 2026
Last Updated Jul 13, 2026
Stay Ahead of the Next One

Get instant alerts for openplc openplc

Be the first to know when new critical vulnerabilities affecting openplc openplc are published — delivered to Slack, Telegram or Discord.

Get Free Alerts → Free · No credit card · 60 sec setup

CVSS v3 Breakdown

CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:C/C:H/I:H/A:H
Attack Vector
Network
Attack Complexity
Low
Privileges Required
Low
User Interaction
None
Scope
Changed
Confidentiality
High
Integrity
High
Availability
High

Affected Versions

OpenPLC / OpenPLC
v3

References

NVD ↗ CVE.org ↗ EPSS Data ↗
cisa.gov: https://www.cisa.gov/news-events/ics-advisories/icsa-26-190-01 github.com: https://github.com/cisagov/CSAF/blob/develop/csaf_files/OT/white/2026/icsa-26-190-01.json

Credits

Grady DeRosa reported this vulnerability to CISA.