Instituto Nacional de ciberseguridad. Sección Incibe
Instituto Nacional de Ciberseguridad. Sección INCIBE-CERT

CVE-2026-14480

Gravedad CVSS v4.0:
ALTA
Tipo:
No Disponible / Otro tipo
Fecha de publicación:
10/07/2026
Última modificación:
10/07/2026

Descripción

*** Pendiente de traducción *** OpenPLC Runtime v3 contains an authenticated arbitrary file write <br /> vulnerability in the legacy web UI program‑upload workflow. The <br /> application stores an attacker‑supplied filename (prog_file) directly <br /> into the Programs.File database field and later uses this value as the <br /> destination path for an uploaded file without validating or restricting <br /> the path. Because Python os.path.join() honors attacker‑controlled <br /> absolute paths, an authenticated user can write arbitrary files anywhere<br /> writable by the OpenPLC webserver process. In the default build <br /> pipeline, all C++ source files within the OpenPLC runtime core directory<br /> are automatically compiled into the executable runtime binary. By <br /> writing a malicious .cpp file into this directory, an authenticated <br /> attacker can escalate the arbitrary file write into arbitrary native <br /> code execution when the operator triggers a normal program compilation <br /> and runtime start.