PatchSiren cyber security CVE debrief
CVE-2026-11826 openplcproject CVE debrief
OpenPLC_v3 contains a heap-based buffer overflow in the getData() function in webserver/core/modbus_master.cpp. The function reads characters between two delimiters into a caller-supplied buffer with no size parameter and no bounds check. An authenticated attacker with access to the OpenPLC web interface can send a crafted HTTP POST to the /modbus endpoint with an oversized device_name value; the value is persisted to mbconfig.cfg and parsed on load, overflowing dev_name and overwriting adjacent struct fields. This results in heap corruption leading to runtime crash and denial of service of the PLC process control loop. The vulnerability has been confirmed by the vendor, and no fix is expected as the upstream repository was archived on 2026-04-04.
- Vendor
- openplcproject
- Product
- OpenPLC_v3
- CVSS
- HIGH 8.7
- CISA KEV
- Not listed in stored evidence
- Original CVE published
- 2026-07-18
- Original CVE updated
- 2026-07-18
- Advisory published
- 2026-07-18
- Advisory updated
- 2026-07-18
Who should care
Users of OpenPLC_v3 should be aware of this vulnerability and take steps to mitigate it. The vulnerability has been confirmed by the vendor, and no fix is expected as the upstream repository was archived on 2026-04-04. Users should verify the presence of OpenPLC_v3 in their environment and review the official advisory for further guidance.
Technical summary
The getData() function in OpenPLC_v3's webserver/core/modbus_master.cpp is vulnerable to a heap-based buffer overflow. The function is called with a 100-byte heap-allocated MB_device.dev_name field in parseConfig(). An attacker can send a crafted HTTP POST to the /modbus endpoint with an oversized device_name value, causing heap corruption and leading to a runtime crash and denial of service of the PLC process control loop. The vulnerability has been confirmed by the vendor, and no fix is expected as the upstream repository was archived on 2026-04-04.
Defensive priority
High
Recommended defensive actions
- Inventory and verify the presence of OpenPLC_v3 in your environment.
- Restrict access to the OpenPLC web interface to trusted users.
- Monitor for suspicious activity on the /modbus endpoint.
- Consider implementing compensating controls to detect and prevent similar attacks.
- Review the supplied official advisory or CVE record to validate affected scope, severity, and vendor guidance.
- Plan vendor-supported updates or mitigations through normal change control where exposure is confirmed.
- Track exceptions, retest remediated assets, and close the item only after evidence is documented.
Evidence notes
The CVE record was published on 2026-07-18T14:17:11.480Z and has not been modified since then. The NVD entry is currently Received. There is no additional information available about the vulnerability beyond what is provided in the CVE record and NVD entry. Users should verify the presence of OpenPLC_v3 in their environment and review the official advisory for further guidance.
Official resources
AI-assisted PatchSiren debrief based on the supplied source corpus. The CVE record was published on 2026-07-18T14:17:11.480Z and has not been modified since then. The NVD entry is currently Received.