CVE-2026-14480
CWE-73Published: July 10, 2026· Updated: Jul 13, 2026
Official Description
OpenPLC Runtime v3 contains an authenticated arbitrary file write
vulnerability in the legacy web UI program‑upload workflow. The
application stores an attacker‑supplied filename (prog_file) directly
into the Programs.File database field and later uses this value as the
destination path for an uploaded file without validating or restricting
the path. Because Python os.path.join() honors attacker‑controlled
absolute paths, an authenticated user can write arbitrary files anywhere
writable by the OpenPLC webserver process. In the default build
pipeline, all C++ source files within the OpenPLC runtime core directory
are automatically compiled into the executable runtime binary. By
writing a malicious .cpp file into this directory, an authenticated
attacker can escalate the arbitrary file write into arbitrary native
code execution when the operator triggers a normal program compilation
and runtime start.
Risk Analysis
This critical vulnerability in OpenPLC Runtime v3 allows an authenticated attacker to write arbitrary files to any location writable by the webserver process. With a CVSS score of 9.9 (Critical), this flaw poses an extremely high risk, as it can lead to remote code execution and full system compromise.
No public exploit is currently known for this vulnerability. However, its remote exploitability (AV:N) and low attack complexity make it a significant concern once an attacker has authenticated.
Administrators should ensure that OpenPLC Runtime v3 is updated to a version that addresses this arbitrary file write vulnerability. Implement strict input validation and path sanitization for file upload functionalities to prevent malicious file placement.
Technical Analysis
CVE-2026-14480 can be exploited remotely over the network without requiring physical or adjacent access, significantly expanding the attack surface for threat actors.
Exploitation requires low privileges, which limits the exposure to scenarios where an attacker has already gained initial access.
A successful exploit results in complete confidentiality breach (data exposure), full integrity compromise (data manipulation), availability disruption (denial of service), with a CVSS base score of 9.9.
The vulnerability has a "Changed" scope, meaning successful exploitation can impact components beyond the vulnerable component itself — such as the host operating system or adjacent services.
CVSS v3.1 Vector Breakdown
Affected Vendors & Products
Exploit & PoC Resources
News & Research Mentioning CVE-2026-14480
View CSAF Summary Successful exploitation of this vulnerability could allow an authenticated attacker to write arbitrary files to the filesystem and escalate this into arbitrary native code execution through the normal OpenPLC program compilation process, potentially resulting in code execution as the OpenPLC runtime user. The following versions of OpenPLC v3 are affected: OpenPLC v3 CVSS Vendor Equipment Vulnerabilities v3 9.9 OpenPLC OpenPLC v3 External Control of File Name or Path Background Critical Infrastructure Sectors: Critical Manufacturing, Energy, Transportation Systems, Water and Wastewater Countries/Areas Deployed: Worldwide Company Headquarters Location: United States Vulnerabilities Expand All + CVE-2026-14480 OpenPLC Runtime v3 contai [xlite_meta score:79 src:CISA Alerts xlite_fp:ae078e2892c267d11a5f2550c2c456432ff0de84c75fd77318ed7f8073103d16]
All References (2)
Quick Facts
Related CVEs (CWE-73)
Recommended Actions
- →Apply vendor patches immediately
- →Monitor CVE-2026-14480 in threat intel feeds
- →Review IDS/IPS signatures for exploitation attempts