Severity by source
CVSS:4.0/AV:N/AC:L/AT:N/PR:H/UI:P/VC:N/VI:N/VA:N/SC:L/SI:L/SA:N/E:X/CR:X/IR:X/AR:X/MAV:X/MAC:X/MAT:X/MPR:X/MUI:X/MVC:X/MVI:X/MVA:X/MSC:X/MSI:X/MSA:X/S:X/AU:X/R:X/V:X/RE:X/U:X
Primary rating from Vendor (VulnCheck).
CVSS VectorVendor: VulnCheck
CVSS:4.0/AV:N/AC:L/AT:N/PR:H/UI:P/VC:N/VI:N/VA:N/SC:L/SI:L/SA:N/E:X/CR:X/IR:X/AR:X/MAV:X/MAC:X/MAT:X/MPR:X/MUI:X/MVC:X/MVI:X/MVA:X/MSC:X/MSI:X/MSA:X/S:X/AU:X/R:X/V:X/RE:X/U:X
Lifecycle Timeline
4DescriptionCVE.org
Domoticz versions prior to 2026.1 contain a stored cross-site scripting vulnerability in the Add Hardware and rename device functionality of the web interface that allows authenticated administrators to execute arbitrary scripts by supplying crafted names containing script or HTML markup. Attackers can inject malicious code that is stored and rendered without proper output encoding, causing script execution in the browsers of users viewing the affected page and enabling unauthorized actions within their session context.
AnalysisAI
Domoticz versions prior to 2026.1 contain a stored cross-site scripting (XSS) vulnerability in the web interface's Add Hardware and device rename functionality that allows authenticated administrators to inject arbitrary JavaScript or HTML markup. The injected malicious code is stored persistently and executed in the browsers of any users viewing the affected pages, potentially enabling unauthorized session hijacking or malicious actions performed under the victim's privileges. A patch is available from the vendor, and while this requires administrator-level access to exploit, the persistent nature of the vulnerability and user interaction requirement represent moderate real-world risk within administrative environments.
Technical ContextAI
This vulnerability is classified as CWE-79 (Improper Neutralization of Input During Web Page Generation, or 'Cross-site Scripting'), specifically a stored XSS variant. The root cause lies in the Domoticz web interface's failure to properly encode or sanitize user-supplied input when processing hardware names and device rename operations before storing these values in the application's persistent data store. When these stored values are subsequently rendered in HTML responses, the browser interprets unencoded script tags or event handlers as executable code rather than literal text. The affected product is Domoticz (CPE: cpe:2.3:a:domoticz:domoticz:*:*:*:*:*:*:*:*), a home automation software platform that exposes configuration and control functions through a web-based administration interface.
RemediationAI
Upgrade Domoticz to version 2026.1 or later immediately, which includes proper input encoding and sanitization for the Add Hardware and device rename functionality. Users should obtain the patched version from the official Domoticz website at https://www.domoticz.com/2026.1/. As an interim mitigation prior to patching, restrict administrative access to the Domoticz web interface to trusted network ranges only using firewall rules or a reverse proxy with authentication controls, disable remote administrative access if not required, and monitor web interface logs for suspicious device naming patterns containing script tags or HTML entities. Additionally, ensure that only necessary administrator accounts are provisioned and review existing hardware names and device names for any suspicious content that may indicate prior exploitation.
Domoticz before 4.10578 allows SQL Injection via the idx parameter in CWebServer::GetFloorplanImage in WebServer.cpp. Ra
Domoticz before 4.10579 neglects to categorize \n and \r as insecure argument options. Rated high severity (CVSS 7.5), t
Domoticz 4.10717 has XSS via item.Name. Rated medium severity (CVSS 5.4), this vulnerability is remotely exploitable, lo
Same weakness CWE-79 – Cross-site Scripting (XSS)
View allVendor StatusVendor
Share
External POC / Exploit Code
Leaving vuln.today
EUVD-2026-15949
GHSA-gc8q-hv36-8qpc