HOMEVULNERABILITIESCVE-2026-14480
CRITICAL

CVE-2026-14480

CWE-73Published: July 10, 2026· Updated: Jul 13, 2026

9.9
CVSS v3.1
EPSS:0.62%probability of exploitation in 30 daysPercentile:45.4th

Official Description

OpenPLC Runtime v3 contains an authenticated arbitrary file write

vulnerability in the legacy web UI program‑upload workflow. The

application stores an attacker‑supplied filename (prog_file) directly

into the Programs.File database field and later uses this value as the

destination path for an uploaded file without validating or restricting

the path. Because Python os.path.join() honors attacker‑controlled

absolute paths, an authenticated user can write arbitrary files anywhere

writable by the OpenPLC webserver process. In the default build

pipeline, all C++ source files within the OpenPLC runtime core directory

are automatically compiled into the executable runtime binary. By

writing a malicious .cpp file into this directory, an authenticated

attacker can escalate the arbitrary file write into arbitrary native

code execution when the operator triggers a normal program compilation

and runtime start.

NVD Source

Risk Analysis

This critical vulnerability in OpenPLC Runtime v3 allows an authenticated attacker to write arbitrary files to any location writable by the webserver process. With a CVSS score of 9.9 (Critical), this flaw poses an extremely high risk, as it can lead to remote code execution and full system compromise.

No public exploit is currently known for this vulnerability. However, its remote exploitability (AV:N) and low attack complexity make it a significant concern once an attacker has authenticated.

Recommended Action

Administrators should ensure that OpenPLC Runtime v3 is updated to a version that addresses this arbitrary file write vulnerability. Implement strict input validation and path sanitization for file upload functionalities to prevent malicious file placement.

Generated by the CTIWATCH analysis pipeline from this CVE's metadata (CVSS, EPSS, KEV status, exploit intelligence). Verify against vendor advisories before acting.

Technical Analysis

CVE-2026-14480 can be exploited remotely over the network without requiring physical or adjacent access, significantly expanding the attack surface for threat actors.

Exploitation requires low privileges, which limits the exposure to scenarios where an attacker has already gained initial access.

A successful exploit results in complete confidentiality breach (data exposure), full integrity compromise (data manipulation), availability disruption (denial of service), with a CVSS base score of 9.9.

The vulnerability has a "Changed" scope, meaning successful exploitation can impact components beyond the vulnerable component itself — such as the host operating system or adjacent services.

CVSS v3.1 Vector Breakdown

Exploitability
Attack VectorNetwork
Attack ComplexityLow
Privileges Req.Low
User InteractionNone
ScopeChanged
Impact
ConfidentialityHigh
IntegrityHigh
AvailabilityHigh
CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:C/C:H/I:H/A:H

Affected Vendors & Products

Mentioned vendors (from description):
Python
CPE data not yet available in NVD for this CVE.

Exploit & PoC Resources

NO KNOWN EXPLOITNo public exploit confirmed at this time
External links open in a new tab. Always verify in a controlled environment before use.

News & Research Mentioning CVE-2026-14480

OpenPLC v3
CISA Alerts· Jul 9, 2026

View CSAF Summary Successful exploitation of this vulnerability could allow an authenticated attacker to write arbitrary files to the filesystem and escalate this into arbitrary native code execution through the normal OpenPLC program compilation process, potentially resulting in code execution as the OpenPLC runtime user. The following versions of OpenPLC v3 are affected: OpenPLC v3 CVSS Vendor Equipment Vulnerabilities v3 9.9 OpenPLC OpenPLC v3 External Control of File Name or Path Background Critical Infrastructure Sectors: Critical Manufacturing, Energy, Transportation Systems, Water and Wastewater Countries/Areas Deployed: Worldwide Company Headquarters Location: United States Vulnerabilities Expand All + CVE-2026-14480 OpenPLC Runtime v3 contai [xlite_meta score:79 src:CISA Alerts xlite_fp:ae078e2892c267d11a5f2550c2c456432ff0de84c75fd77318ed7f8073103d16]

All References (2)

Quick Facts

CVE IDCVE-2026-14480
CVSS Score9.9 / 10
SeverityCRITICAL
WeaknessCWE-73
CISA KEVNo
EPSS (30d)0.62%
PublishedJul 10, 2026

Related CVEs (CWE-73)

Recommended Actions

  • Apply vendor patches immediately
  • Monitor CVE-2026-14480 in threat intel feeds
  • Review IDS/IPS signatures for exploitation attempts
Data sourced from NVD (NIST), CISA KEV, and EPSS (FIRST). Analysis generated by CTIWATCH.COM. CVE data is provided under the NVD usage policy.