CVE-2025-54962

Published
View on NVD ↗
CVSS v3
6.4
MEDIUM
CVSS v2
N/A
Affected
2
PROJECTS

Description

/edit-user in webserver in OpenPLC Runtime 3 through 9cd8f1b allows authenticated users to upload arbitrary files (such as .html or .svg), and these are then publicly accessible under the /static URI.

thiagoralves/OpenPLC_v3
thiagoralves/OpenPLC_v3
OpenPLC Runtime version 3
GitHubGitHub
1.26K
Eyodav/OpenPLC-Insecure-File-Upload
Eyodav/OpenPLC-Insecure-File-Upload
Authenticated users can upload arbitrary files (e.g. .html, .svg) as profile images in OpenPLC Runtime. These files are publicly accessible without authentication, allowing stored XSS or malicious content delivery .
GitHubGitHub