CVE-2026-28772 | THREATINT

Description

A Reflected Cross-Site Scripting (XSS) vulnerability in the /IDC_Logging/index.cgi endpoint of International Datacasting Corporation (IDC) SFX Series SuperFlex SatelliteReceiver Web Management Interface version 101 allows a remote attacker to execute arbitrary web scripts or HTML. The vulnerability is triggered by sending a crafted payload through the `submitType` parameter, which is reflected directly into the DOM without proper escaping.

PUBLISHED Reserved 2026-03-03 | Published 2026-03-04 | Updated 2026-03-05 | Assigner Gridware

MEDIUM: 5.1CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:A/VC:L/VI:L/VA:N/SC:L/SI:L/SA:N

Problem types

CWE-79: Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting')

Product status

Default status

unaffected

101

affected

Credits

Abdul Mhanni finder

References

www.abdulmhsblog.com/posts/sfx2100-vulns/

cve.org (CVE-2026-28772)

nvd.nist.gov (CVE-2026-28772)

Download JSON