CVE-2026-28770 MEDIUM

CVE-2026-28770: XML injection In /IDC_Logging/checkifdone.cgi Endpoint On IDC SFX Web Management Interface Version 101

Vendor International Datacasting Corporation (Idc)
Product SFX Series SuperFlex Satellite Receiver Web management interface
Weakness CWE-91 · XML injection
Published March 4, 2026
Last update March 5, 2026

CVSS base score

5.3/10
Attack vector Network
Attack complexity Low
Privileges required Low
User interaction None
Confidentiality
Integrity

CVSS vector

CVSS:4.0/AV:N/AC:L/AT:N/PR:L/UI:N/VC:L/VI:L/VA:L/SC:L/SI:L/SA:L

What the vulnerability does

01Description

Improper neutralization of special elements in the /IDC_Logging/checkifdone.cgi script in International Datacasting Corporation (IDC) SFX Series SuperFlex Satellite Receiver Web management Interface version 101 allows for XML Injection. The application reflects un-sanitized user input from the `file` parameter directly into a CDATA block, allowing an authenticated attacker to break out of the tags and inject arbitrary XML elements. An actor is confirmed to be able to turn this into an reflected XSS but further abuse such as XXE may be possible

Key dates

02Disclosure timeline

March 4, 2026 CVE published
March 5, 2026 Record updated