CVE-2026-14480

Severity CVSS v4.0:
HIGH
Type:
Unavailable / Other
Publication date:
10/07/2026
Last modified:
10/07/2026

Description

OpenPLC Runtime v3 contains an authenticated arbitrary file write <br /> vulnerability in the legacy web UI program‑upload workflow. The <br /> application stores an attacker‑supplied filename (prog_file) directly <br /> into the Programs.File database field and later uses this value as the <br /> destination path for an uploaded file without validating or restricting <br /> the path. Because Python os.path.join() honors attacker‑controlled <br /> absolute paths, an authenticated user can write arbitrary files anywhere<br /> writable by the OpenPLC webserver process. In the default build <br /> pipeline, all C++ source files within the OpenPLC runtime core directory<br /> are automatically compiled into the executable runtime binary. By <br /> writing a malicious .cpp file into this directory, an authenticated <br /> attacker can escalate the arbitrary file write into arbitrary native <br /> code execution when the operator triggers a normal program compilation <br /> and runtime start.