Skip to main content

Domoticz

4 CVEs product

Monthly

CVE-2026-1001 MEDIUM POC PATCH This Month

Domoticz versions prior to 2026.1 contain a stored cross-site scripting (XSS) vulnerability in the web interface's Add Hardware and device rename functionality that allows authenticated administrators to inject arbitrary JavaScript or HTML markup. The injected malicious code is stored persistently and executed in the browsers of any users viewing the affected pages, potentially enabling unauthorized session hijacking or malicious actions performed under the victim's privileges. A patch is available from the vendor, and while this requires administrator-level access to exploit, the persistent nature of the vulnerability and user interaction requirement represent moderate real-world risk within administrative environments.

XSS Domoticz
NVD VulDB GitHub
CVSS 4.0
4.8
EPSS
0.1%
CVE-2019-15480 MEDIUM POC PATCH This Month

Domoticz 4.10717 has XSS via item.Name. Rated medium severity (CVSS 5.4), this vulnerability is remotely exploitable, low attack complexity. Public exploit code available.

XSS Domoticz
NVD GitHub
CVSS 3.0
5.4
EPSS
0.7%
CVE-2019-10678 HIGH POC PATCH THREAT This Week

Domoticz before 4.10579 neglects to categorize \n and \r as insecure argument options. Rated high severity (CVSS 7.5), this vulnerability is remotely exploitable, no authentication required, low attack complexity. Public exploit code available.

Information Disclosure Domoticz
NVD GitHub Exploit-DB
CVSS 3.0
7.5
EPSS
17.3%
CVE-2019-10664 CRITICAL POC PATCH Act Now

Domoticz before 4.10578 allows SQL Injection via the idx parameter in CWebServer::GetFloorplanImage in WebServer.cpp. Rated critical severity (CVSS 9.8), this vulnerability is remotely exploitable, no authentication required, low attack complexity. Public exploit code available.

SQLi Domoticz
NVD GitHub Exploit-DB
CVSS 3.0
9.8
EPSS
7.5%
EPSS 0% CVSS 4.8
MEDIUM POC PATCH This Month

Domoticz versions prior to 2026.1 contain a stored cross-site scripting (XSS) vulnerability in the web interface's Add Hardware and device rename functionality that allows authenticated administrators to inject arbitrary JavaScript or HTML markup. The injected malicious code is stored persistently and executed in the browsers of any users viewing the affected pages, potentially enabling unauthorized session hijacking or malicious actions performed under the victim's privileges. A patch is available from the vendor, and while this requires administrator-level access to exploit, the persistent nature of the vulnerability and user interaction requirement represent moderate real-world risk within administrative environments.

XSS Domoticz
NVD VulDB GitHub
EPSS 1% CVSS 5.4
MEDIUM POC PATCH This Month

Domoticz 4.10717 has XSS via item.Name. Rated medium severity (CVSS 5.4), this vulnerability is remotely exploitable, low attack complexity. Public exploit code available.

XSS Domoticz
NVD GitHub
EPSS 17% CVSS 7.5
HIGH POC PATCH THREAT This Week

Domoticz before 4.10579 neglects to categorize \n and \r as insecure argument options. Rated high severity (CVSS 7.5), this vulnerability is remotely exploitable, no authentication required, low attack complexity. Public exploit code available.

Information Disclosure Domoticz
NVD GitHub Exploit-DB
EPSS 8% CVSS 9.8
CRITICAL POC PATCH Act Now

Domoticz before 4.10578 allows SQL Injection via the idx parameter in CWebServer::GetFloorplanImage in WebServer.cpp. Rated critical severity (CVSS 9.8), this vulnerability is remotely exploitable, no authentication required, low attack complexity. Public exploit code available.

SQLi Domoticz
NVD GitHub Exploit-DB

This site uses cookies essential for authentication and security. No tracking or analytics cookies are used. Privacy Policy