CVE-2026-28701 | Various versions of Daktronics Controller Firmware could all… | CVSS 9.8 CRITICAL

Description

Various versions of Daktronics Controller Firmware could allow authenticated and unauthenticated remote users to escape the intended directory and enumerate arbitrary file system paths.

Metadata

CVE ID: CVE-2026-28701
State: PUBLISHED
Assigner: icscert
Reserved: 2026-03-30 20:11 UTC
Published: 2026-06-26 22:40 UTC
Last updated: 2026-06-26 23:03 UTC
Primary CWE: CWE-22
CWE-22
Vendor / Product: Daktronics / VFC-DMP-5000
Sources: cve.org · NVD

Severity & Metrics

9.8 CRITICAL CVSS 3.1

CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H

Affected products (3)

Vendor	Product	Platform	Versions
Daktronics	DMP-5000	—	0 < v10.34.x.x, 0 < v8.117.x.x, 0 < v9.43.x.x
Daktronics	DMP-8000	—	0 < v10.34.x.x, 0 < v8.117.x.x, 0 < v9.43.x.x
Daktronics	VFC-DMP-5000	—	0 < v8.117.x.x, 0 < v9.43.x.x, 0 < v10.34.x.x

Weakness (CWE)

CWE	Source	Description
CWE-22	cna	CWE-22

CVSS scores (2)

Score	Severity	Version	Source	Vector
9.8	CRITICAL	3.1	cna	CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H
9.3	CRITICAL	4.0	cna	CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:N/VC:H/VI:H/VA:H/SC:N/SI:N/SA:N

References (2)