CVE-2025-34226 HIGH

CVE-2025-34226: OpenPLC Runtime v3 Persistent DoS

Vendor Autonomy Logic
Product OpenPLC Runtime
Weakness CWE-664
Published October 3, 2025
Last update March 23, 2026

CVSS base score

7.1/10
Attack vector Network
Attack complexity Low
Privileges required Low
User interaction None
Confidentiality
Integrity

CVSS vector

CVSS:4.0/AV:N/AC:L/AT:N/PR:L/UI:N/VC:N/VI:L/VA:H/SC:N/SI:N/SA:N

What the vulnerability does

01Description

OpenPLC Runtime v3 contains an input validation flaw in the /upload-program-action endpoint: the epoch_time field supplied during program uploads is not validated and can be crafted to induce corruption of the programs database. After a successful malformed upload the runtime continues to operate until a restart; on restart the runtime can fail to start because of corrupted database entries, resulting in persistent denial of service requiring complete rebase of the product to recover. This vulnerability was remediated by commit 095ee09.

Key dates

02Disclosure timeline

October 3, 2025 CVE published
March 23, 2026 Record updated