PT-2026-60966 · Openplc · Openplc

·

CVE-2026-11826

·

Published

2026-07-18

·

Updated

2026-07-18

CVSS v3.1

8.8

High

VectorAV:N/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H
Name of the Vulnerable Software and Affected Versions OpenPLC v3 (affected versions not specified)
Description A heap-based buffer overflow exists in the getData() function within webserver/core/modbus master.cpp. The function reads characters between two delimiters into a caller-supplied buffer without a size parameter or bounds check. Specifically, in parseConfig(), the function is called using the 100-byte heap-allocated MB device.dev name field. An authenticated attacker with access to the web interface can send a crafted HTTP POST request to the /modbus endpoint containing an oversized device name value. This value is saved to mbconfig.cfg and parsed upon loading, which overflows dev name and overwrites adjacent structure fields, including protocol at offset 108, dev address at offset 109, and ip port at offset 210. For example, a 200-byte payload writes 100 bytes beyond the allocation, resulting in heap corruption that causes a runtime crash and denial of service of the PLC process control loop.
Recommendations At the moment, there is no information about a newer version that contains a fix for this vulnerability. Restrict access to the web interface to minimize the risk of exploitation.

DoS

Heap Based Buffer Overflow

Found an issue in the description? Have something to add? Feel free to write us 👾

Weakness Enumeration

Related Identifiers

CVE-2026-11826

Affected Products

Openplc