CVE-2026-31156

MEDIUM EPSS 32.7%

Published May 13, 20261mo ago · Modified Jun 17, 20261w ago

6.5 CVSS 3.1

Medium

Published May 13, 2026 1mo ago

Last Modified Jun 17, 2026 1w ago

Description

A path injection vulnerability exists in OpenPLC v3 (2c82b0e79c53f8c1f1458eee15fec173400d6e1a) as the binary program compiled from glue_generator.cpp does not perform any validation on the file path parameters passed via the command line. The user-controlled input parameters are directly passed to the underlying file operation functions (fopen/ifstream/ofstream) for file reading and writing. An attacker can exploit this vulnerability by constructing a malicious path to read arbitrary readable files.

CVSS Details

Base Score

6.5

Exploitability

2.8

Impact

3.6

Vector string

CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:N/A:N

Attack Vector Network

Attack Complexity Low

Privileges Required Low

User Interaction None

Scope Unchanged

Confidentiality High

Integrity None

Availability None

Threat Intelligence

EPSS Exploit Probability

32.7% percentile

Exploit & Patch Status

Public Exploit Known

No Patch Available

Weaknesses 1

CWE-22 Path Traversal Resource Mgmt

Affected Products 2

Vendor	Product	Version	Range
openplcproject	openplc_v3_firmware	2024-03-09	any
openplcproject	openplc_v3	*	any

References 2

openplc.com http://openplc.com

Product
github.com https://github.com/unicorn-hyh/CVE-2026-31156

ExploitThird Party Advisory

Remediation

No remediation data recorded yet

Check vendor advisories and the NVD entry for patch availability.