Monitor vulnerabilities like this one.
Sign up free to get alerted when software you use is affected.
5.3
IDC SFX Series Web Interface Allows Malicious Code Injection
CVE-2026-28770
Summary
The web interface for the IDC SFX Series SuperFlex Satellite Receiver allows an attacker to inject malicious code into the system. This can happen when an authenticated user enters special characters into a file upload field, potentially allowing an attacker to take control of the system. Affected users should update to the latest version of the software as soon as possible to patch this vulnerability.
What to do
No fix is available yet. Check with your software vendor for updates.
Affected software
| Vendor | Product | Affected versions | Fix available |
|---|---|---|---|
| datacast | sfx2100_firmware | All versions | – |
Original title
Improper neutralization of special elements in the /IDC_Logging/checkifdone.cgi script in International Datacasting Corporation (IDC) SFX Series SuperFlex Satellite Receiver Web management Interfac...
Original description
Improper neutralization of special elements in the /IDC_Logging/checkifdone.cgi script in International Datacasting Corporation (IDC) SFX Series SuperFlex Satellite Receiver Web management Interface version 101 allows for XML Injection. The application reflects un-sanitized user input from the `file` parameter directly into a CDATA block, allowing an authenticated attacker to break out of the tags and inject arbitrary XML elements. An actor is confirmed to be able to turn this into an reflected XSS but further abuse such as XXE may be possible
nvd CVSS4.0
5.3
Vulnerability type
CWE-91
Published: 4 Mar 2026 · Updated: 13 Mar 2026 · First seen: 6 Mar 2026