Skip to main content

Domoticz CVE-2026-1001

| EUVDEUVD-2026-15949 MEDIUM
Cross-site Scripting (XSS) (CWE-79)
2026-03-25 VulnCheck GHSA-gc8q-hv36-8qpc
4.8
CVSS 4.0 · Vendor: VulnCheck
Share

Severity by source

Vendor (VulnCheck) PRIMARY
4.8 MEDIUM
CVSS:4.0/AV:N/AC:L/AT:N/PR:H/UI:P/VC:N/VI:N/VA:N/SC:L/SI:L/SA:N/E:X/CR:X/IR:X/AR:X/MAV:X/MAC:X/MAT:X/MPR:X/MUI:X/MVC:X/MVI:X/MVA:X/MSC:X/MSI:X/MSA:X/S:X/AU:X/R:X/V:X/RE:X/U:X
Red Hat
4.8 LOW
qualitative

Primary rating from Vendor (VulnCheck).

CVSS VectorVendor: VulnCheck

CVSS:4.0/AV:N/AC:L/AT:N/PR:H/UI:P/VC:N/VI:N/VA:N/SC:L/SI:L/SA:N/E:X/CR:X/IR:X/AR:X/MAV:X/MAC:X/MAT:X/MPR:X/MUI:X/MVC:X/MVI:X/MVA:X/MSC:X/MSI:X/MSA:X/S:X/AU:X/R:X/V:X/RE:X/U:X
Attack Vector
Network
Attack Complexity
Low
Privileges Required
High
User Interaction
P
Scope
X

Lifecycle Timeline

4
EUVD ID Assigned
Mar 25, 2026 - 18:32 euvd
EUVD-2026-15949
Analysis Generated
Mar 25, 2026 - 18:32 vuln.today
Patch released
Mar 25, 2026 - 18:32 nvd
Patch available
CVE Published
Mar 25, 2026 - 18:12 nvd
MEDIUM 4.8

DescriptionCVE.org

Domoticz versions prior to 2026.1 contain a stored cross-site scripting vulnerability in the Add Hardware and rename device functionality of the web interface that allows authenticated administrators to execute arbitrary scripts by supplying crafted names containing script or HTML markup. Attackers can inject malicious code that is stored and rendered without proper output encoding, causing script execution in the browsers of users viewing the affected page and enabling unauthorized actions within their session context.

AnalysisAI

Domoticz versions prior to 2026.1 contain a stored cross-site scripting (XSS) vulnerability in the web interface's Add Hardware and device rename functionality that allows authenticated administrators to inject arbitrary JavaScript or HTML markup. The injected malicious code is stored persistently and executed in the browsers of any users viewing the affected pages, potentially enabling unauthorized session hijacking or malicious actions performed under the victim's privileges. A patch is available from the vendor, and while this requires administrator-level access to exploit, the persistent nature of the vulnerability and user interaction requirement represent moderate real-world risk within administrative environments.

Technical ContextAI

This vulnerability is classified as CWE-79 (Improper Neutralization of Input During Web Page Generation, or 'Cross-site Scripting'), specifically a stored XSS variant. The root cause lies in the Domoticz web interface's failure to properly encode or sanitize user-supplied input when processing hardware names and device rename operations before storing these values in the application's persistent data store. When these stored values are subsequently rendered in HTML responses, the browser interprets unencoded script tags or event handlers as executable code rather than literal text. The affected product is Domoticz (CPE: cpe:2.3:a:domoticz:domoticz:*:*:*:*:*:*:*:*), a home automation software platform that exposes configuration and control functions through a web-based administration interface.

RemediationAI

Upgrade Domoticz to version 2026.1 or later immediately, which includes proper input encoding and sanitization for the Add Hardware and device rename functionality. Users should obtain the patched version from the official Domoticz website at https://www.domoticz.com/2026.1/. As an interim mitigation prior to patching, restrict administrative access to the Domoticz web interface to trusted network ranges only using firewall rules or a reverse proxy with authentication controls, disable remote administrative access if not required, and monitor web interface logs for suspicious device naming patterns containing script tags or HTML entities. Additionally, ensure that only necessary administrator accounts are provisioned and review existing hardware names and device names for any suspicious content that may indicate prior exploitation.

Vendor StatusVendor

Share

CVE-2026-1001 vulnerability details – vuln.today

This site uses cookies essential for authentication and security. No tracking or analytics cookies are used. Privacy Policy