CVE-2026-28772 PUBLISHED

Reflected XSS in IDC_Logging Index endpoint

Assigner: Gridware
Reserved: 03.03.2026 Published: 04.03.2026 Updated: 04.03.2026

A Reflected Cross-Site Scripting (XSS) vulnerability in the /IDC_Logging/index.cgi endpoint of International Datacasting Corporation (IDC) SFX Series SuperFlex SatelliteReceiver Web Management Interface version 101 allows a remote attacker to execute arbitrary web scripts or HTML. The vulnerability is triggered by sending a crafted payload through the submitType parameter, which is reflected directly into the DOM without proper escaping.

Metrics

CVSS 4.0

CVSS Vector: CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:A/VC:L/VI:L/VA:N/SC:L/SI:L/SA:N
CVSS Score: 5.1

Exploitability Metrics		Vulnerable System Impact Metrics		Subsequent System Impact Metrics
Attack Vector	Network	Confidentiality	Low	Confidentiality	Low
Attack Complexity	Low	Integrity	Low	Integrity	Low
Attack Requirements	None	Availability	None	Availability	None
Privileges Required	None
User Interaction	Active

CVSS 4.0

Product Status

Vendor	International Datacasting Corporation (IDC)
Product	SFX Series SuperFlex SatelliteReceiver Web Management Interface
Versions	Default: unaffected Version 101 is affected

Credits

Abdul Mhanni finder

References

https://www.abdulmhsblog.com/posts/spfx-vulnrabilities/

Problem Types

CWE-79: Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting') CWE

Impacts

Client-Side Code Execution