CVE-2026-14480
Severity CVSS v4.0:
HIGH
Type:
Unavailable / Other
Publication date:
10/07/2026
Last modified:
10/07/2026
Description
OpenPLC Runtime v3 contains an authenticated arbitrary file write <br />
vulnerability in the legacy web UI program‑upload workflow. The <br />
application stores an attacker‑supplied filename (prog_file) directly <br />
into the Programs.File database field and later uses this value as the <br />
destination path for an uploaded file without validating or restricting <br />
the path. Because Python os.path.join() honors attacker‑controlled <br />
absolute paths, an authenticated user can write arbitrary files anywhere<br />
writable by the OpenPLC webserver process. In the default build <br />
pipeline, all C++ source files within the OpenPLC runtime core directory<br />
are automatically compiled into the executable runtime binary. By <br />
writing a malicious .cpp file into this directory, an authenticated <br />
attacker can escalate the arbitrary file write into arbitrary native <br />
code execution when the operator triggers a normal program compilation <br />
and runtime start.
Impact
Base Score 4.0
8.70
Severity 4.0
HIGH
Base Score 3.x
9.90
Severity 3.x
CRITICAL



