vulnerability in the legacy web UI program‑upload workflow. The
application stores an attacker‑supplied filename (prog_file) directly
into the Programs.File database field and later uses this value as the
destination path for an uploaded file without validating or restricting
the path. Because Python os.path.join() honors attacker‑controlled
absolute paths, an authenticated user can write arbitrary files anywhere
writable by the OpenPLC webserver process. In the default build
pipeline, all C++ source files within the OpenPLC runtime core directory
are automatically compiled into the executable runtime binary. By
writing a malicious .cpp file into this directory, an authenticated
attacker can escalate the arbitrary file write into arbitrary native
code execution when the operator triggers a normal program compilation
and runtime start.
Analysis and contextual insights are available on OpenCVE Cloud.
Vendor Solution
OpenPLC recommends users upgrade to OpenPLC v4 as OpenPLC v3 is end-of-life and is no longer receiving patches, bug fixes, or security updates.
Tracking
Sign in to view the affected projects.
No advisories yet.
Fri, 10 Jul 2026 23:45:00 +0000
| Type | Values Removed | Values Added |
|---|---|---|
| First Time appeared |
Openplc
Openplc openplc |
|
| Vendors & Products |
Openplc
Openplc openplc |
Fri, 10 Jul 2026 22:45:00 +0000
| Type | Values Removed | Values Added |
|---|---|---|
| Description | OpenPLC Runtime v3 contains an authenticated arbitrary file write vulnerability in the legacy web UI program‑upload workflow. The application stores an attacker‑supplied filename (prog_file) directly into the Programs.File database field and later uses this value as the destination path for an uploaded file without validating or restricting the path. Because Python os.path.join() honors attacker‑controlled absolute paths, an authenticated user can write arbitrary files anywhere writable by the OpenPLC webserver process. In the default build pipeline, all C++ source files within the OpenPLC runtime core directory are automatically compiled into the executable runtime binary. By writing a malicious .cpp file into this directory, an authenticated attacker can escalate the arbitrary file write into arbitrary native code execution when the operator triggers a normal program compilation and runtime start. | |
| Title | OpenPLC v3 External Control of File Name or Path | |
| Weaknesses | CWE-73 | |
| References |
| |
| Metrics |
cvssV3_1
|
Status: PUBLISHED
Assigner: icscert
Published:
Updated: 2026-07-10T22:17:49.406Z
Reserved: 2026-07-02T16:00:30.030Z
Link: CVE-2026-14480
No data.
No data.
No data.
OpenCVE Enrichment
Updated: 2026-07-11T03:45:16Z