Eyodav/OpenPLC-Insecure-File-Upload

Releases0

Authenticated users can upload arbitrary files (e.g. .html, .svg) as profile images in OpenPLC Runtime. These files are publicly accessible without authentication, allowing stored XSS or malicious content delivery .

CVE History

CVE	Published	CVSS v3	CVSS v2
CVE-2025-54962 ↗	Aug 4, 2025Monday, 4 August 2025, 02:15	6.4 MEDIUM	—
/edit-user in webserver in OpenPLC Runtime 3 through 9cd8f1b allows authenticated users to upload arbitrary files (such as .html or .svg), and these are then publicly accessible under the /static URI.