HIGH

CVE-2026-11826

CVSS v3

8.8

HIGH

EPSS Score

exploit probability

CISA KEV

No

known exploited

Exploitation

SSVC status

Description

OpenPLC_v3 contains a heap-based buffer overflow in the getData() function in webserver/core/modbus_master.cpp. getData() reads characters between two delimiters into a caller-supplied buffer with no size parameter and no bounds check. In parseConfig() the function is invoked with the 100-byte heap-allocated MB_device.dev_name field. An authenticated attacker with access to the OpenPLC web interface can send a crafted HTTP POST to the /modbus endpoint with an oversized device_name value; the val

Technical details

CVSS v3 Vector
3.1
Published
7/18/2026
Last Modified
7/18/2026

Frequently asked questions

What is CVE-2026-11826?

OpenPLC_v3 contains a heap-based buffer overflow in the getData() function in webserver/core/modbus_master.cpp. getData() reads characters between two delimiters into a caller-supplied buffer with no size parameter and no bounds check. In parseConfig() the function is invoked with the 100-byte heap-allocated MB_device.dev_name field. An authenticated attacker with access to the OpenPLC web interface can send a crafted HTTP POST to the /modbus endpoint with an oversized device_name value; the val

Is CVE-2026-11826 actively exploited?

Active exploitation of CVE-2026-11826 has not been confirmed. The EPSS score is N/A%, indicating the estimated probability of exploitation in the next 30 days.

What is the CVSS score for CVE-2026-11826?

CVE-2026-11826 has a CVSS v3 base score of 8.8 (HIGH severity), with vector string 3.1.

Is CVE-2026-11826 affecting your environment?

Use isMalicious to check if any of your IPs or domains are associated with this vulnerability's IOCs.