Heap-based Buffer Overflow in OpenPLC v3 by Thiago R. Alves
CVE-2026-11826
8.7HIGH
What is CVE-2026-11826?
OpenPLC_v3 contains a critical vulnerability resulting from a heap-based buffer overflow in the getData() function located in webserver/core/modbus_master.cpp. This function reads data into a user-provided buffer without boundary checks, which allows an authenticated attacker access to the OpenPLC web interface to exploit the /modbus endpoint. By sending an oversized 'device_name' value, the attacker can overwrite critical struct fields, causing heap corruption and potential denial of service to the PLC process control loop. Given that this issue has been confirmed by the vendor and the repository archived, no fix is expected for this vulnerability.
Affected Version(s)
OpenPLC_v3 0
