CVE-2026-1001

  1. OpenCVE
  2. Vulnerabilities (CVE)
  3. CVE-2026-1001
Domoticz versions prior to 2026.1 contain a stored cross-site scripting vulnerability in the Add Hardware and rename device functionality of the web interface that allows authenticated administrators to execute arbitrary scripts by supplying crafted names containing script or HTML markup. Attackers can inject malicious code that is stored and rendered without proper output encoding, causing script execution in the browsers of users viewing the affected page and enabling unauthorized actions within their session context.

4.8 /10

CVSS v3 : MEDIUM

V3 Legend

Vector :

Exploitability : 1.7 / Impact : 2.7

Attack Vector NETWORK

Attack Complexity LOW

Privileges Required HIGH

User Interaction REQUIRED

Confidentiality Impact LOW

Integrity Impact LOW

Availability Impact NONE

Scope CHANGED

References
Link Resource
https://www.domoticz.com/2026.1/ Release Notes
https://www.vulncheck.com/advisories/domoticz-stored-xss-via-hardware-configuration-endpoint Third Party Advisory
Configurations

Configuration 1 (hide)

cpe:2.3:a:domoticz:domoticz:*:*:*:*:*:*:*:*
History

01 Apr 2026, 15:42

Type Values Removed Values Added
First Time Domoticz
Domoticz domoticz
Summary
  • (es) Las versiones de Domoticz anteriores a 2026.1 contienen una vulnerabilidad de cross-site scripting almacenado en la funcionalidad Add Hardware y rename device de la interfaz web que permite a los administradores autenticados ejecutar scripts arbitrarios al proporcionar nombres manipulados que contienen scripts o marcado HTML. Los atacantes pueden inyectar código malicioso que se almacena y se renderiza sin una codificación de salida adecuada, provocando la ejecución de scripts en los navegadores de los usuarios que visualizan la página afectada y permitiendo acciones no autorizadas dentro del contexto de su sesión.
CPE cpe:2.3:a:domoticz:domoticz:*:*:*:*:*:*:*:*
CVSS v2 : unknown
v3 : unknown 		v2 : unknown
v3 : 4.8
References () https://www.domoticz.com/2026.1/ - () https://www.domoticz.com/2026.1/ - Release Notes
References () https://www.vulncheck.com/advisories/domoticz-stored-xss-via-hardware-configuration-endpoint - () https://www.vulncheck.com/advisories/domoticz-stored-xss-via-hardware-configuration-endpoint - Third Party Advisory

25 Mar 2026, 19:16

Type Values Removed Values Added
New CVE
Information

Published : 2026-03-25 19:16

Updated : 2026-04-01 15:42

NVD link : CVE-2026-1001

Mitre link : CVE-2026-1001

CVE.ORG link : CVE-2026-1001

JSON object : View

Products Affected

domoticz

  • domoticz
CWE
CWE-79

Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting')