CVE-2026-14480: OpenPLC v3 External Control of File Name or Path
OpenPLC Runtime v3 contains an authenticated arbitrary file write
vulnerability in the legacy web UI program‑upload workflow. The
application stores an attacker‑supplied filename (prog_file) directly
into the Programs.File database field and later uses this value as the
destination path for an uploaded file without validating or restricting
the path. Because Python os.path.join() honors attacker‑controlled
absolute paths, an authenticated user can write arbitrary files anywhere
writable by the OpenPLC webserver process. In the default build
pipeline, all C++ source files within the OpenPLC runtime core directory
are automatically compiled into the executable runtime binary. By
writing a malicious .cpp file into this directory, an authenticated
attacker can escalate the arbitrary file write into arbitrary native
code execution when the operator triggers a normal program compilation
and runtime start.
Security readout for executives and security teams
Plain-English summary
OpenPLC has a critical authenticated file-write flaw in its web program upload flow. A logged-in user can make the server write files outside the intended location. In the documented build flow, this can become native code execution after normal compilation and runtime start. This is especially important for systems connected to operational technology environments.
Executive priority
Prioritize this as urgent for any production or OT-connected OpenPLC deployment. The vulnerability is critical because a low-privileged authenticated user may turn file upload behavior into code execution. Confirm exposure and vendor remediation status before relying on compensating controls.
Technical view
The flaw is CWE-73 in OpenPLC v3/v4. The legacy web UI stores attacker-controlled prog_file into Programs.File and later uses it as an upload destination without path validation. Absolute paths are honored by os.path.join(). Writing a .cpp file into the runtime core directory can be compiled into the runtime binary, enabling code execution in the documented workflow.
Likely exposure
Exposure is most likely where OpenPLC v3 or v4 is deployed and the legacy web UI program-upload workflow is reachable by authenticated users. Risk is higher if web UI accounts are broadly shared, weakly governed, or accessible from less trusted networks.
Exploitation context
The source bundle does not show CISA KEV listing or confirmed active exploitation. Exploitation requires authenticated access to the OpenPLC web UI. The documented impact can progress from arbitrary file write to native code execution when normal compilation and runtime start occur.
Researcher notes
Evidence is based on the CVE description and CISA advisory references. The bundle names OpenPLC v3 and v4 and CVSS 9.9. No patch version, workaround, proof-of-concept, or active exploitation claim is provided in the supplied sources.
Mitigation direction
Review CISA advisory ICSA-26-190-01 for vendor-specific guidance.
Check OpenPLC guidance for fixed versions or supported mitigations.
Inventory OpenPLC v3 and v4 deployments.
Treat OpenPLC web UI access as privileged until remediation is confirmed.
Limit authenticated web UI access to required operators only.
Validation and detection
Confirm OpenPLC version on all deployed instances.
Determine whether the legacy web UI upload workflow is available.
Review program records for unexpected absolute paths or suspicious filenames.
Inspect runtime core directories for unexpected C++ source files.
Check web UI account list for unnecessary or shared users.
Generated from the cited source records. This long-tail analysis has not been individually reviewed by a named human.
Potential ATT&CK relevance
Conservative CVE-to-ATT&CK context
These mappings and lookup hints may be relevant to the vulnerability behavior, CWE, affected product, or exposure path. Glexia-inferred context is not an official MITRE, ATT&CK, CWE, or CVE Program mapping.
ATT&CK lookup starting points
Use these exact CWE pages and searches to review the Glexia ATT&CK library from this CVE's weakness and description context.
cwe · medium confidence lookup
CWE-73: File access and web shell behavior lookup
File traversal and upload weaknesses can lead teams to review file, web shell, execution, and collection telemetry. Open the exact CWE lookup page first, then review the ATT&CK searches from that MITRE weakness context. This is a Glexia lookup hint, not an official ATT&CK mapping.
The CVE wording references code or command execution, so execution technique review may help defensive triage. This is a Glexia inferred lookup path, not an official MITRE, ATT&CK, or CVE Program mapping.
The CVE wording references database injection or access, so collection and exfiltration review may help. This is a Glexia inferred lookup path, not an official MITRE, ATT&CK, or CVE Program mapping.
The CVE wording references file access or upload behavior, so file telemetry and web shell review may help. This is a Glexia inferred lookup path, not an official MITRE, ATT&CK, or CVE Program mapping.
These fields come from the CVE record and ADP containers, not from Glexia's Take. They preserve time-varying source decisions such as CISA SSVC, KEV status, CVSS metrics, and provider references.
2CVSS vectors
3Timeline events
0ADP providers
3Source links
CVSS vector scores
2 official scores
We collect every scored CVSS vector available in the official CNA and ADP containers. When more than one version is present, the table keeps the source vectors side by side instead of collapsing them into the highest score.
CWE links open Glexia weakness intelligence pages with official CWE context, developer remediation guidance, and related CVE mappings.
CWE-73 · source CWE mapping
External Control of File Name or Path
External Control of File Name or Path represents a recurring weakness pattern that can create exploitable paths when design, validation, or implementation controls are missing.