Threat Intelligence Database

Three vulnerabilities were discovered in Daktronics VFC-DMP-5000, DMP-5000, and DMP-8000 controllers used for large-scale LED displays such as highway signs and billboards. These include a path traversal vulnerability exploitable without authentication, an authenticated arbitrary file upload flaw, and default admin credentials that often remain unchanged. Exploiting these could allow attackers to gain root-level access, tamper with displayed content, or fully compromise the device. Patches have been released by Daktronics, and users are advised to change default passwords. The vulnerabilities were responsibly disclosed through CISA's VINCE platform. The impact ranges from reconnaissance to full device control, but exploitation requires internet exposure of the devices, which is the responsibility of the customers to manage.

CVE-2026-14160 is a medium severity time-of-check time-of-use (TOCTOU) race condition vulnerability in Samsung Open Source Escargot. The flaw allows leveraging race conditions that may lead to limited confidentiality, integrity, and availability impacts. No affected versions or patch information are provided, and no known exploits are reported. The vulnerability requires local access and low attack complexity without user interaction.

The Team Members – Multi Language Supported Team Plugin for WordPress contains a stored cross-site scripting (XSS) vulnerability in all versions up to and including 8.7. This vulnerability arises from insufficient input sanitization and output escaping in admin settings. It allows authenticated users with administrator-level permissions or higher to inject arbitrary scripts that execute when a user accesses the affected page. The issue specifically affects multi-site WordPress installations and those where the unfiltered_html capability is disabled. The vulnerability has a medium severity rating with a CVSS score of 4.4.

The ISC Stormcast for June 30th, 2026, is a brief informational post from the SANS Internet Storm Center with no specific vulnerability details provided. It references a podcast episode but does not describe any particular security threat or vulnerability.

NLTK version 3.9.4 contains a path traversal vulnerability due to improper handling of percent-encoded sequences in resource paths. The vulnerability allows attackers to bypass pathname restrictions and read arbitrary files accessible to the Python process by exploiting how resource names are validated and decoded. This affects applications using NLTK for resource loading, including NLP web apps, Jupyter notebooks, and CLI tools. The default configuration setting further increases risk by not enforcing file read restrictions at the open stage.

A malicious Chromium-based browser extension impersonates the AI-powered answer engine Perplexity AI to redirect users' browser search traffic. It leverages Manifest V3 (MV3) APIs and intermediary infrastructure to perform these redirections without user consent. This behavior can mislead users and potentially expose them to unwanted content or tracking. No specific affected versions of Chromium or the extension are identified. There is no indication of known exploits in the wild or an official patch. The threat is assessed as medium severity based on the described impact.

A supply chain attack was confirmed on Polymarket, a cryptocurrency-based prediction market, after a third-party frontend vendor was breached. This breach led to malicious JavaScript being injected into the Polymarket website, tricking users into approving fraudulent actions. The attack highlights risks associated with third-party dependencies in web applications.

ThreatFox IOCs for 2026-06-29

CVE-2026-10648 is a memory-safety vulnerability in the Zephyr project affecting versions 4.4.0 up to but not including 4.5.0. The issue arises because a NULL pointer check is missing before a buffer reset operation, leading to a NULL pointer dereference and device crash. An attacker with access to the serial or console transport can flood the buffer pool, causing denial of service by crashing the device. This vulnerability has a CVSS score of 6.2, indicating medium severity.

CVE-2026-8023 is a path traversal vulnerability in the Zephyr project's HTTP server static-filesystem resource handler. It allows unauthenticated remote attackers to read arbitrary files outside the configured web root by exploiting improper handling of ../ segments in URL paths. This affects Zephyr versions 4.0.0 through 4.4.0 when the static-filesystem resource is registered. The vulnerability does not require authentication or TLS to exploit. A fix was introduced that canonicalizes the URL path to neutralize traversal attempts.