Details of VAR-202605-2181

ID

VAR-202605-2181

CVE

CVE-2026-31156

TITLE

OpenPLC Project of OpenPLC_v3 Path traversal vulnerability in firmware

Trust: 0.8

sources: JVNDB: JVNDB-2026-017167

DESCRIPTION

A path injection vulnerability exists in OpenPLC v3 (2c82b0e79c53f8c1f1458eee15fec173400d6e1a) as the binary program compiled from glue_generator.cpp does not perform any validation on the file path parameters passed via the command line. The user-controlled input parameters are directly passed to the underlying file operation functions (fopen/ifstream/ofstream) for file reading and writing. An attacker can exploit this vulnerability by constructing a malicious path to read arbitrary readable files. OpenPLC v3 (2c82b0e79c53f8c1f1458eee15fec173400d6e1a) This has a path injection vulnerability. In addition, information handled by the software will not be rewritten. Furthermore, the software will not stop. Furthermore, attacks exploiting this vulnerability will not affect other software

Trust: 1.62

sources: NVD: CVE-2026-31156 // JVNDB: JVNDB-2026-017167

AFFECTED PRODUCTS

vendor:	openplcproject	model:	openplc v3	scope:	eq	version:	2024-03-09	Trust: 1.0
vendor:	openplc	model:	v3	scope:	eq	version:	-	Trust: 0.8
vendor:	openplc	model:	v3	scope:	eq	version:	openplc_v3 firmware 2024-03-09	Trust: 0.8
vendor:	openplc	model:	v3	scope:	-	version:	-	Trust: 0.8

sources: JVNDB: JVNDB-2026-017167 // NVD: CVE-2026-31156

CVSS

SEVERITY

CVSSV2

CVSSV3

134c704f-9b21-4f2e-91b3-4a467353bcc0:	CVE-2026-31156
value:	MEDIUM
Trust: 1.0
OTHER:	JVNDB-2026-017167
value:	MEDIUM
Trust: 0.8

134c704f-9b21-4f2e-91b3-4a467353bcc0:	CVE-2026-31156
baseSeverity:	MEDIUM
baseScore:	6.5
vectorString:	CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:N/A:N
attackVector:	NETWORK
attackComplexity:	LOW
privilegesRequired:	LOW
userInteraction:	NONE
scope:	UNCHANGED
confidentialityImpact:	HIGH
integrityImpact:	NONE
availabilityImpact:	NONE
exploitabilityScore:	2.8
impactScore:	3.6
version:	3.1
Trust: 1.0
OTHER:	JVNDB-2026-017167
baseSeverity:	MEDIUM
baseScore:	6.5
vectorString:	CVSS:3.0/AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:N/A:N
attackVector:	NETWORK
attackComplexity:	LOW
privilegesRequired:	LOW
userInteraction:	NONE
scope:	UNCHANGED
confidentialityImpact:	HIGH
integrityImpact:	NONE
availabilityImpact:	NONE
exploitabilityScore:	NONE
impactScore:	NONE
version:	3.0
Trust: 0.8

sources: JVNDB: JVNDB-2026-017167 // NVD: CVE-2026-31156

PROBLEMTYPE DATA

problemtype:	CWE-22	Trust: 1.0
problemtype:	Path traversal (CWE-22) [ others ]	Trust: 0.8

sources: JVNDB: JVNDB-2026-017167 // NVD: CVE-2026-31156

PATCH

title:

GitHub - unicorn-hyh/CVE-2026-31156

url:

https://github.com/unicorn-hyh/CVE-2026-31156

Trust: 0.8

sources: JVNDB: JVNDB-2026-017167

EXTERNAL IDS

db:	NVD	id:	CVE-2026-31156	Trust: 2.6
db:	JVNDB	id:	JVNDB-2026-017167	Trust: 0.8

sources: JVNDB: JVNDB-2026-017167 // NVD: CVE-2026-31156

REFERENCES

url:	http://openplc.com	Trust: 1.8
url:	https://github.com/unicorn-hyh/cve-2026-31156	Trust: 1.0
url:	https://nvd.nist.gov/vuln/detail/cve-2026-31156	Trust: 0.8

sources: JVNDB: JVNDB-2026-017167 // NVD: CVE-2026-31156

SOURCES

db:	JVNDB	id:	JVNDB-2026-017167
db:	NVD	id:	CVE-2026-31156

LAST UPDATE DATE

2026-06-19T23:19:04.973000+00:00

SOURCES UPDATE DATE

db:	JVNDB	id:	JVNDB-2026-017167	date:	2026-05-28T05:42:00
db:	NVD	id:	CVE-2026-31156	date:	2026-05-26T15:13:06.800

SOURCES RELEASE DATE

db:	JVNDB	id:	JVNDB-2026-017167	date:	2026-05-28T00:00:00
db:	NVD	id:	CVE-2026-31156	date:	2026-05-13T16:16:38.763