VYPR
Vendor

Openplcproject

Products
3
CVEs
16
Across products
18
Status
Private

Products

3

Recent CVEs

16
  • CVE-2026-28205CriApr 9, 2026
    risk 0.64cvss 9.8epss 0.00

    OpenPLC_V3 is vulnerable to an Initialization of a Resource with an Insecure Default vulnerability which could allow an attacker to gain access to the system by bypassing authentication via an API.

  • CVE-2026-35063HigApr 9, 2026
    risk 0.57cvss 8.8epss 0.00

    OpenPLC_V3 REST API endpoint checks for JWT presence but never verifies the caller's role. Any authenticated user with role=user can delete any other user, including administrators, by specifying their user ID or they can create new accounts with role=admin, escalating to full…

  • CVE-2021-47770HigJan 21, 2026
    risk 0.57cvss 8.8epss 0.01

    OpenPLC v3 contains an authenticated remote code execution vulnerability that allows attackers with valid credentials to inject malicious code through the hardware configuration interface. Attackers can upload a custom hardware layer with embedded reverse shell code that…

  • CVE-2025-13970HigDec 13, 2025
    risk 0.52cvss 8.0epss 0.00

    OpenPLC_V3 is vulnerable to a cross-site request forgery (CSRF) attack due to the absence of proper CSRF validation. This issue allows an unauthenticated attacker to trick a logged-in administrator into visiting a maliciously crafted link, potentially enabling unauthorized …

  • CVE-2026-35556HigApr 9, 2026
    risk 0.49cvss 7.5epss 0.00

    OpenPLC_V3 is vulnerable to a Plaintext Storage of a Password vulnerability that could allow an attacker to retrieve credentials and access sensitive information.

  • CVE-2025-54962MedAug 4, 2025
    risk 0.42cvss 6.4epss 0.00

    /edit-user in webserver in OpenPLC Runtime 3 through 9cd8f1b allows authenticated users to upload arbitrary files (such as .html or .svg), and these are then publicly accessible under the /static URI.

  • CVE-2026-31156MedMay 13, 2026
    risk 0.35cvss 6.5epss 0.00

    A path injection vulnerability exists in OpenPLC v3 (2c82b0e79c53f8c1f1458eee15fec173400d6e1a) as the binary program compiled from glue_generator.cpp does not perform any validation on the file path parameters passed via the command line. The user-controlled input parameters are…

  • CVE-2025-53476MedOct 7, 2025
    risk 0.34cvss 5.3epss 0.00

    A denial of service vulnerability exists in the ModbusTCP server functionality of OpenPLC _v3 a931181e8b81e36fadf7b74d5cba99b73c3f6d58. A specially crafted series of network connections can lead to the server not processing subsequent Modbus requests. An attacker can open a…

  • CVE-2024-34026Sep 18, 2024
    risk 0.01cvss epss 0.02

    A stack-based buffer overflow vulnerability exists in the OpenPLC Runtime EtherNet/IP parser functionality of OpenPLC _v3 b4702061dc14d1024856f71b4543298d77007b88. A specially crafted EtherNet/IP request can lead to remote code execution. An attacker can send a series of…

  • CVE-2024-36981Sep 18, 2024
    risk 0.00cvss epss 0.01

    An out-of-bounds read vulnerability exists in the OpenPLC Runtime EtherNet/IP PCCC parser functionality of OpenPLC_v3 b4702061dc14d1024856f71b4543298d77007b88. A specially crafted network request can lead to denial of service. An attacker can send a series of EtherNet/IP…

  • CVE-2024-36980Sep 18, 2024
    risk 0.00cvss epss 0.01

    An out-of-bounds read vulnerability exists in the OpenPLC Runtime EtherNet/IP PCCC parser functionality of OpenPLC_v3 b4702061dc14d1024856f71b4543298d77007b88. A specially crafted network request can lead to denial of service. An attacker can send a series of EtherNet/IP…

  • CVE-2024-39590Sep 18, 2024
    risk 0.00cvss epss 0.01

    Multiple invalid pointer dereference vulnerabilities exist in the OpenPLC Runtime EtherNet/IP parser functionality of OpenPLC_v3 16bf8bac1a36d95b73e7b8722d0edb8b9c5bb56a. A specially crafted EtherNet/IP request can lead to denial of service. An attacker can send a series of…

  • CVE-2024-39589Sep 18, 2024
    risk 0.00cvss epss 0.01

    Multiple invalid pointer dereference vulnerabilities exist in the OpenPLC Runtime EtherNet/IP parser functionality of OpenPLC_v3 16bf8bac1a36d95b73e7b8722d0edb8b9c5bb56a. A specially crafted EtherNet/IP request can lead to denial of service. An attacker can send a series of…

  • CVE-2024-37741Jun 28, 2024
    risk 0.00cvss epss 0.00

    OpenPLC 3 through 9cd8f1b allows XSS via an SVG document as a profile picture.

  • CVE-2021-3351Aug 2, 2021
    risk 0.00cvss epss 0.01

    OpenPLC runtime V3 through 2016-03-14 allows stored XSS via the Device Name to the web server's Add New Device page.

  • CVE-2018-20818Apr 21, 2019
    risk 0.00cvss epss 0.02

    A buffer overflow vulnerability was discovered in the OpenPLC controller, in the OpenPLC_v2 and OpenPLC_v3 versions. It occurs in the modbus.cpp mapUnusedIO() function, which can cause a runtime crash of the PLC or possibly have unspecified other impact.