Openplc · Openplc · CVE-2026-11826
**Name of the Vulnerable Software and Affected Versions**
OpenPLC v3 (affected versions not specified)
**Description**
A heap-based buffer overflow exists in the `getData()` function within `webserver/core/modbus master.cpp`. The function reads characters between two delimiters into a caller-supplied buffer without a size parameter or bounds check. Specifically, in `parseConfig()`, the function is called using the 100-byte heap-allocated `MB device.dev name` field. An authenticated attacker with access to the web interface can send a crafted HTTP POST request to the `/modbus` endpoint containing an oversized `device name` value. This value is saved to `mbconfig.cfg` and parsed upon loading, which overflows `dev name` and overwrites adjacent structure fields, including `protocol` at offset 108, `dev address` at offset 109, and `ip port` at offset 210. For example, a 200-byte payload writes 100 bytes beyond the allocation, resulting in heap corruption that causes a runtime crash and denial of service of the PLC process control loop.
**Recommendations**
At the moment, there is no information about a newer version that contains a fix for this vulnerability.
Restrict access to the web interface to minimize the risk of exploitation.