CVE-2026-28771

low-risk

Published 2026-03-04

A Reflected Cross-Site Scripting (XSS) vulnerability exists in the /index.cgi endpoint of International Datacasting Corporation (IDC) SFX Series SuperFlex Satellite Receiver Web Management Interface version 101. The application fails to adequately sanitize user-supplied input provided via the `cat` parameter before reflecting it in the HTTP response, allowing a remote attacker to execute arbitrary HTML or JavaScript in the victim's browser context.

Do I need to act?

0.04% chance of exploitation

EPSS score — low exploit probability

Not on CISA KEV list

No confirmed active exploitation reported to CISA

Patch status unknown

Check vendor advisories for fix availability and mitigation guidance

CVSS 6.1/10 Medium

NETWORK / LOW complexity

Affected Products (1)

Sfx2100 Firmware

Affected Vendors

Datacast

References (1)

Exploit https://www.abdulmhsblog.com/posts/sfx2100-vulns/

/ 100

low-risk

Severity 23/34 · High

Exploitability 0/34 · Minimal

Exposure 5/34 · Minimal