Eyodav

**Name of the Vulnerable Software and Affected Versions** OpenPLC Runtime version 3 **Description** The software contains an input validation flaw in the `/upload-program-action` API endpoint. The `epoch time` parameter, when submitting program uploads, is not validated, potentially leading to corruption of the programs database. A successful exploit allows continued operation until a restart, at which point the runtime may fail to start due to database corruption, resulting in a denial of service. Recovery requires a complete rebase of the product. **Recommendations** Update to a version that includes commit 095ee09 or commit 095ee09623dd229b64ad3a1db38a901a3772f6fc.

**Name of the Vulnerable Software and Affected Versions** OpenPLC Runtime versions 3 through 9cd8f1b **Description** An authenticated user can upload arbitrary files, such as `.html` or `.svg`, through the `/edit-user` endpoint in the webserver. These uploaded files are then publicly accessible under the `/static` URI. **Recommendations** Restrict access to the `/edit-user` endpoint to prevent unauthorized file uploads. Disable or remove the ability to upload files through the `/edit-user` endpoint.