CVE-2026-28701
published 2026-06-26CVE-2026-28701: Various versions of Daktronics Controller Firmware could allow authenticated and unauthenticated remote users to escape the intended directory and enumerate…
PriorityP268critical9.8CVSS 3.1
AVNACLPRNUINSUCHIHAH
EPSS
0.84%
53.2th percentile
Various versions of Daktronics Controller Firmware could allow authenticated and unauthenticated remote users to escape the intended directory and enumerate arbitrary file system paths.
Affected
9 ranges
| Vendor | Product | Version range | Fixed in |
|---|---|---|---|
| daktronics | dmp-5000 | < v10.34.x.x | v10.34.x.x |
| daktronics | dmp-5000 | < v8.117.x.x | v8.117.x.x |
| daktronics | dmp-5000 | < v9.43.x.x | v9.43.x.x |
| daktronics | dmp-8000 | < v10.34.x.x | v10.34.x.x |
| daktronics | dmp-8000 | < v8.117.x.x | v8.117.x.x |
| daktronics | dmp-8000 | < v9.43.x.x | v9.43.x.x |
| daktronics | vfc-dmp-5000 | < v8.117.x.x | v8.117.x.x |
| daktronics | vfc-dmp-5000 | < v9.43.x.x | v9.43.x.x |
| daktronics | vfc-dmp-5000 | < v10.34.x.x | v10.34.x.x |
CVSS provenance
nvdv3.19.8CRITICALCVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H
nvdv4.09.3CRITICALCVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:N/VC:H/VI:H/VA:H/SC:N/SI:N/SA:N/E:X/CR:X/IR:X/AR:X/MAV:X/MAC:X/MAT:X/MPR:X/MUI:X/MVC:X/MVI:X/MVA:X/MSC:X/MSI:X/MSA:X/S:X/AU:X/R:X/V:X/RE:X/U:X
Stop checking back — get the weekly exploitation signal.
Every Monday: what got weaponized or added to CISA KEV in the last seven days — each CVE cross-linked to its PoC, Nuclei template, and detection rule. Free, one email a week, unsubscribe in one click.
VulDB
Daktronics VFC-DMP-5000/DMP-5000/DMP-8000 prior 8.117.x.x/9.43.x.x/10.34.x.x path traversal (icsa-26-176-04 / EUVD-2026-39923)
vuldb·2026-06-27·CVSS 9.8
CVE-2026-28701 [CRITICAL] Daktronics VFC-DMP-5000/DMP-5000/DMP-8000 prior 8.117.x.x/9.43.x.x/10.34.x.x path traversal (icsa-26-176-04 / EUVD-2026-39923)
A vulnerability was found in Daktronics VFC-DMP-5000, DMP-5000 and DMP-8000 and classified as critical. Impacted is an unknown function. Executing a manipulation can lead to path traversal.
The identification of this vulnerability is CVE-2026-28701. The attack may be launched remotely. There is no exploit available.
It is suggested to upgrade the affected component.
GHSA
Various versions of Daktronics Controller Firmware could allow authenticated and unauthenticated remote users to escape the intended directory and enumerate arbitrary file system paths.
ghsa_unreviewed·2026-06-27
CVE-2026-28701 [CRITICAL] CWE-22 Various versions of Daktronics Controller Firmware could allow authenticated and unauthenticated remote users to escape the intended directory and enumerate arbitrary file system paths.
Various versions of Daktronics Controller Firmware could allow authenticated and unauthenticated remote users to escape the intended directory and enumerate arbitrary file system paths.
No detection rules found.
No public exploits indexed.
No writeups or analysis indexed.
2026-06-26
Published