HIGH
openplcproject
CVE published 2026-07-18
CVE-2026-11826
OpenPLC_v3 contains a heap-based buffer overflow in the getData() function in webserver/core/modbus_master.cpp. The function reads characters between two delimiters into a caller-supplied buffer with no size parameter and no bounds check. An authenticated attacker with access to the OpenPLC web interface can send a crafted HTTP POST to the /modbus endpoint with an oversized device_name value; the value is [truncated]