XML Injection Flaw in IDC SFX Series Satellite Receiver Web Management Interface
CVE-2026-28770

5.3MEDIUM

Key Information:

Vendor: International Datacasting Corporation (idc)
Status: Sfx Series Superflex Satellite Receiver Web Management Interface
Vendor: CVE Published:; 4 March 2026

🔔 Create International Datacasting Corporation (idc) Vulnerability Alert

What is CVE-2026-28770?

The vulnerability in the web management interface of the IDC SFX Series SuperFlex Satellite Receiver allows for improper neutralization of special elements, specifically in the /IDC_Logging/checkifdone.cgi script. An authenticated attacker can exploit this flaw by injecting malicious XML content through the un-sanitized file parameter, which is reflected directly into a CDATA block. This leads not only to potential reflected XSS attacks but may also facilitate further exploitation such as XML External Entity (XXE) attacks, posing significant risks to the integrity and security of the affected system.

Affected Version(s)

SFX Series SuperFlex Satellite Receiver Web management interface 101

References

https://www.abdulmhsblog.com/posts/sfx2100-vulns/

CVSS V4

Score:

5.3

Severity:

MEDIUM

Confidentiality:

Low

Integrity:

Low

Availability:

Low

Attack Vector:

Network

Attack Complexity:

Low

Attack Required:

None

Privileges Required:

Undefined

User Interaction:

None

Download the Critical Vulnerability Management Cheat Sheet

Timeline

Vulnerability published
Mar 4, 2026
Vulnerability Reserved
Mar 3, 2026

CVE-2026-28770 Data

JSON