OpenPLC Runtime v3 contains an authenticated arbitrary...
High severity
Unreviewed
Published
Jul 11, 2026
to the GitHub Advisory Database
•
Updated Jul 11, 2026
Description
Published by the National Vulnerability Database
Jul 10, 2026
Published to the GitHub Advisory Database
Jul 11, 2026
Last updated
Jul 11, 2026
OpenPLC Runtime v3 contains an authenticated arbitrary file write
vulnerability in the legacy web UI program‑upload workflow. The
application stores an attacker‑supplied filename (prog_file) directly
into the Programs.File database field and later uses this value as the
destination path for an uploaded file without validating or restricting
the path. Because Python os.path.join() honors attacker‑controlled
absolute paths, an authenticated user can write arbitrary files anywhere
writable by the OpenPLC webserver process. In the default build
pipeline, all C++ source files within the OpenPLC runtime core directory
are automatically compiled into the executable runtime binary. By
writing a malicious .cpp file into this directory, an authenticated
attacker can escalate the arbitrary file write into arbitrary native
code execution when the operator triggers a normal program compilation
and runtime start.
References