CVE Catalog

CVE-2026-31156

MediumCVSS 6.5
Published: Updated: Translated: NVD NIST

Exploitation Probability (EPSS)

Low risk
0.39%

31th percentile - higher than 31% of all known CVEs

Summary

A path injection vulnerability exists in OpenPLC v3 (commit 2c82b0e79c53f8c1f1458eee15fec173400d6e1a). The binary compiled from glue_generator.cpp does not validate file path parameters from the command line, allowing an attacker to read arbitrary files.

Risk Assessment

An attacker can read sensitive system files such as configurations, passwords, or application data, leading to information disclosure and potential privilege escalation.

Recommendation

Update OpenPLC to the latest version with path validation fixes. Until then, restrict access to the binary and implement access control mechanisms.

Original NVD description (English source)

A path injection vulnerability exists in OpenPLC v3 (2c82b0e79c53f8c1f1458eee15fec173400d6e1a) as the binary program compiled from glue_generator.cpp does not perform any validation on the file path parameters passed via the command line. The user-controlled input parameters are directly passed to the underlying file operation functions (fopen/ifstream/ofstream) for file reading and writing. An attacker can exploit this vulnerability by constructing a malicious path to read arbitrary readable files.

Vulnerability data from NVD (NIST) · CISA KEV · EPSS