CVE-2026-28770

Name of the Vulnerable Software and Affected Versions International Datacasting Corporation (IDC) SFX Series SuperFlex Satellite Receiver Web management Interface version 101

Description The application does not properly neutralize special elements within the /IDC Logging/checkifdone.cgi script, leading to a potential XML Injection issue. User input from the file parameter is reflected unsanitized into a CDATA block, potentially allowing an authenticated attacker to inject arbitrary XML elements and break out of tags. This could lead to reflected Cross-Site Scripting (XSS) and potentially other attacks like XML External Entity (XXE) injection.

Recommendations Update to a newer version that contains a fix for this vulnerability.