Vulnerability Details CVE-2026-28774
An OS Command Injection vulnerability exists in the web-based Traceroute diagnostic utility of International Datacasting Corporation (IDC) SFX Series SuperFlex SatelliteReceiver Web Management Interface version 101. An authenticated attacker can inject arbitrary shell metacharacters (such as the pipe `|` operator) into the flags parameter, leading to the execution of arbitrary operating system commands with root privileges.
Exploit prediction scoring system (EPSS) score
EPSS Score 0.004
EPSS Ranking 62.4%
CVSS Severity
CVSS v3 Score 8.8
Products affected by CVE-2026-28774
-
cpe:2.3:h:datacast:sfx2100:-
-
cpe:2.3:o:datacast:sfx2100_firmware:-