CVE-2026-28205

OpenPLCV3 is vulnerable to an Initialization of a Resource with an Insecure Default vulnerability which could allow an attacker to gain access to the system by bypassing authentication via an API...

CVE-2026-35063

OpenPLCV3 REST API endpoint checks for JWT presence but never verifies the caller's role. Any authenticated user with role=user can delete any other user, including administrators, by specifying their user ID or they can create new accounts with role=admin, escalating to full administrator access...

CVE-2026-35556

OpenPLCV3 is vulnerable to a Plaintext Storage of a Password vulnerability that could allow an attacker to retrieve credentials and access sensitive information...

CVE-2026-35063 Missing Authorization in OpenPLC_V3

OpenPLCV3 REST API endpoint checks for JWT presence but never verifies the caller's role. Any authenticated user with role=user can delete any other user, including administrators, by specifying their user ID or they can create new accounts with role=admin, escalating to full administrator access...

CVE-2026-35556

CVE-2026-35556 affects OpenPLC_V3 and describes a Plaintext Storage of a Password vulnerability. The root issue is that credentials can be stored in plaintext, enabling an attacker to retrieve credentials and access sensitive information. The provided metrics indicate a high impact on confidentia...

CVE-2026-35556 Plaintext storage of a password in OpenPLC_V3

OpenPLCV3 is vulnerable to a Plaintext Storage of a Password vulnerability that could allow an attacker to retrieve credentials and access sensitive information...

CVE-2026-28205

Technical details beyond the description are not publicly provided in the supplied documents. Monitor for updates on affected versions, root cause, and remediation.

CVE-2026-28205 Initialization of a resource with an insecure default in OpenPLC_V3

OpenPLCV3 is vulnerable to an Initialization of a Resource with an Insecure Default vulnerability which could allow an attacker to gain access to the system by bypassing authentication via an API...

CVE-2026-28205 Initialization of a resource with an insecure default in OpenPLC_V3

OpenPLCV3 is vulnerable to an Initialization of a Resource with an Insecure Default vulnerability which could allow an attacker to gain access to the system by bypassing authentication via an API...

CVE-2025-13970 OpenPLC_V3 Cross-Site Request Forgery

OpenPLCV3 is vulnerable to a cross-site request forgery CSRF attack due to the absence of proper CSRF validation. This issue allows an unauthenticated attacker to trick a logged-in administrator into visiting a maliciously crafted link, potentially enabling unauthorized modification of PLC settin...

OpenPLC_V3 (Update A)

RISK EVALUATION Successful exploitation of this vulnerability could result in the alteration of PLC settings or the upload of malicious programs. 2. RECOMMENDED PRACTICES CISA recommends users take defensive measures to minimize the risk of exploitation of this vulnerability, such as: Minimize...

CVE-2025-54811

CVE-2025-54811 concerns OpenPLC_V3. The vulnerability is in the enipThread function due to a missing return value, causing a crash when the server loop ends and an illegal ud2 is executed. It can be triggered remotely without authentication by starting the same server multiple times or if the ser...

CVE-2025-1066 CVE-2025-1066

OpenPLCV3 contains an arbitrary file upload vulnerability, which could be leveraged for malvertising or phishing campaigns...

CVE-2025-1066

OpenPLC_V3 is affected by an arbitrary file upload vulnerability. The CVE-2025-1066 entry identifies a high-severity, network-exposed issue (CVSS v3.1: AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H) that could enable malvertising or phishing campaigns. The available connected sources consistently describe ...

CVE-2024-39589

Multiple invalid pointer dereference vulnerabilities exist in the OpenPLC Runtime EtherNet/IP parser functionality of OpenPLCv3 16bf8bac1a36d95b73e7b8722d0edb8b9c5bb56a. A specially crafted EtherNet/IP request can lead to denial of service. An attacker can send a series of EtherNet/IP requests to...

CVE-2024-36981

An out-of-bounds read vulnerability exists in the OpenPLC Runtime EtherNet/IP PCCC parser functionality of OpenPLCv3 b4702061dc14d1024856f71b4543298d77007b88. A specially crafted network request can lead to denial of service. An attacker can send a series of EtherNet/IP requests to trigger this...

CVE-2024-36981

Summary: CVE-2024-36981 affects OpenPLC_v3 (commit b4702061dc14d1024856f71b4543298d77007b88) with an out-of-bounds read in the Runtime EtherNet/IP PCCC parser, enabling denial of service via specially crafted EtherNet/IP requests. The TALOS report clarifies two vulnerable paths in OpenPLC_v3: Sen...

CVE-2024-39590

Multiple invalid pointer dereference vulnerabilities exist in the OpenPLC Runtime EtherNet/IP parser functionality of OpenPLCv3 16bf8bac1a36d95b73e7b8722d0edb8b9c5bb56a. A specially crafted EtherNet/IP request can lead to denial of service. An attacker can send a series of EtherNet/IP requests to...

CVE-2024-39589

CVE-2024-39589 concerns multiple invalid pointer dereference vulnerabilities in the OpenPLC_v3 Runtime EtherNet/IP parser, specifically within the Protected_Logical_Read_Reply path. The flaw stems from dereferencing truncated addresses due to memmove usage on request-derived values, enabling a cr...

CVE-2024-39589

Multiple invalid pointer dereference vulnerabilities exist in the OpenPLC Runtime EtherNet/IP parser functionality of OpenPLCv3 16bf8bac1a36d95b73e7b8722d0edb8b9c5bb56a. A specially crafted EtherNet/IP request can lead to denial of service. An attacker can send a series of EtherNet/IP requests to...