CVE-2026-33560 HIGH

CVE-2026-33560: Daktronics Controller Firmware Unrestricted Upload of File with Dangerous Type

Vendor Daktronics
Product VFC-DMP-5000
Weakness CWE-434 · Unrestricted file upload
Published June 26, 2026
Last update June 29, 2026

CVSS base score

7.1/10
Attack vector Network
Attack complexity Low
Privileges required Low
User interaction None
Confidentiality Low
Integrity High

CVSS vector

CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:L/I:H/A:N

What the vulnerability does

01Description

The DMP-5000 file service exposes authenticated arbitrary file upload functionality. There are exposed endpoints which allows authenticated users to upload files of any type without validation. No file extension filtering or content inspection is enforced which allows executable binaries and scripts to be accepted and written directly to the server.

Key dates

02Disclosure timeline

June 26, 2026 CVE published
June 29, 2026 Record updated