PatchSiren

openplcproject CVE debriefs

These pages are published after PatchSiren validates generated defensive summaries against stored public CVE and source evidence.

HIGH openplcproject CVE published 2026-07-18

CVE-2026-11826

OpenPLC_v3 contains a heap-based buffer overflow in the getData() function in webserver/core/modbus_master.cpp. The function reads characters between two delimiters into a caller-supplied buffer with no size parameter and no bounds check. An authenticated attacker with access to the OpenPLC web interface can send a crafted HTTP POST to the /modbus endpoint with an oversized device_name value; the value is [truncated]