CVE-2026-33560 | The DMP-5000 file service exposes authenticated arbitrary fi… | CVSS 7.1 HIGH

Description

The DMP-5000 file service exposes authenticated arbitrary file upload functionality. There are exposed endpoints which allows authenticated users to upload files of any type without validation. No file extension filtering or content inspection is enforced which allows executable binaries and scripts to be accepted and written directly to the server.

Metadata

CVE ID: CVE-2026-33560
State: PUBLISHED
Assigner: icscert
Reserved: 2026-03-30 20:11 UTC
Published: 2026-06-26 22:48 UTC
Last updated: 2026-06-26 22:48 UTC
Primary CWE: CWE-434
CWE-434
Vendor / Product: Daktronics / VFC-DMP-5000
Sources: cve.org · NVD

Severity & Metrics

7.1 HIGH CVSS 3.1

CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:L/I:H/A:N

Affected products (3)

Vendor	Product	Platform	Versions
Daktronics	DMP-5000	—	0 < v10.34.x.x, 0 < v8.117.x.x, 0 < v9.43.x.x
Daktronics	DMP-8000	—	0 < v10.34.x.x, 0 < v8.117.x.x, 0 < v9.43.x.x
Daktronics	VFC-DMP-5000	—	0 < v8.117.x.x, 0 < v9.43.x.x, 0 < v10.34.x.x

Weakness (CWE)

CWE	Source	Description
CWE-434	cna	CWE-434

CVSS scores (2)

Score	Severity	Version	Source	Vector
8.4	HIGH	4.0	cna	CVSS:4.0/AV:N/AC:L/AT:N/PR:L/UI:N/VC:L/VI:H/VA:N/SC:L/SI:H/SA:N
7.1	HIGH	3.1	cna	CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:L/I:H/A:N

References (2)