CVE-2026-33560

The DMP-5000 file service exposes authenticated arbitrary file upload functionality. There are exposed endpoints which allows authenticated users to upload files of any type without validation. No file extension filtering or content inspection is enforced which allows executable binaries and scripts to be accepted and written directly to the server.
Configurations

Configuration 1 (hide)

AND
OR cpe:2.3:o:daktronics:dmp-5000_firmware:*:*:*:*:*:*:*:*
cpe:2.3:o:daktronics:dmp-5000_firmware:*:*:*:*:*:*:*:*
cpe:2.3:o:daktronics:dmp-5000_firmware:*:*:*:*:*:*:*:*
cpe:2.3:h:daktronics:dmp-5000:-:*:*:*:*:*:*:*

Configuration 2 (hide)

AND
OR cpe:2.3:o:daktronics:dmp-8000_firmware:*:*:*:*:*:*:*:*
cpe:2.3:o:daktronics:dmp-8000_firmware:*:*:*:*:*:*:*:*
cpe:2.3:o:daktronics:dmp-8000_firmware:*:*:*:*:*:*:*:*
cpe:2.3:h:daktronics:dmp-8000:-:*:*:*:*:*:*:*

Configuration 3 (hide)

AND
OR cpe:2.3:o:daktronics:vfc-dmp-5000_firmware:*:*:*:*:*:*:*:*
cpe:2.3:o:daktronics:vfc-dmp-5000_firmware:*:*:*:*:*:*:*:*
cpe:2.3:o:daktronics:vfc-dmp-5000_firmware:*:*:*:*:*:*:*:*
cpe:2.3:h:daktronics:vfc-dmp-5000:-:*:*:*:*:*:*:*

History

06 Jul 2026, 17:53

Type Values Removed Values Added
References () https://github.com/cisagov/CSAF/blob/develop/csaf_files/OT/white/2026/icsa-26-176-04.json - () https://github.com/cisagov/CSAF/blob/develop/csaf_files/OT/white/2026/icsa-26-176-04.json - Third Party Advisory
References () https://www.cisa.gov/news-events/ics-advisories/icsa-26-176-04 - () https://www.cisa.gov/news-events/ics-advisories/icsa-26-176-04 - Third Party Advisory, US Government Resource
CPE cpe:2.3:h:daktronics:dmp-8000:-:*:*:*:*:*:*:*
cpe:2.3:o:daktronics:dmp-8000_firmware:*:*:*:*:*:*:*:*
cpe:2.3:o:daktronics:vfc-dmp-5000_firmware:*:*:*:*:*:*:*:*
cpe:2.3:o:daktronics:dmp-5000_firmware:*:*:*:*:*:*:*:*
cpe:2.3:h:daktronics:vfc-dmp-5000:-:*:*:*:*:*:*:*
cpe:2.3:h:daktronics:dmp-5000:-:*:*:*:*:*:*:*
First Time Daktronics
Daktronics vfc-dmp-5000 Firmware
Daktronics dmp-5000 Firmware
Daktronics vfc-dmp-5000
Daktronics dmp-5000
Daktronics dmp-8000 Firmware
Daktronics dmp-8000

26 Jun 2026, 23:17

Type Values Removed Values Added
New CVE

Information

Published : 2026-06-26 23:17

Updated : 2026-07-06 17:53


NVD link : CVE-2026-33560

Mitre link : CVE-2026-33560

CVE.ORG link : CVE-2026-33560


JSON object : View

Products Affected

daktronics

  • vfc-dmp-5000_firmware
  • dmp-5000
  • dmp-8000
  • dmp-5000_firmware
  • dmp-8000_firmware
  • vfc-dmp-5000
CWE
CWE-434

Unrestricted Upload of File with Dangerous Type