Domoticz
Monthly
Domoticz versions prior to 2026.1 contain a stored cross-site scripting (XSS) vulnerability in the web interface's Add Hardware and device rename functionality that allows authenticated administrators to inject arbitrary JavaScript or HTML markup. The injected malicious code is stored persistently and executed in the browsers of any users viewing the affected pages, potentially enabling unauthorized session hijacking or malicious actions performed under the victim's privileges. A patch is available from the vendor, and while this requires administrator-level access to exploit, the persistent nature of the vulnerability and user interaction requirement represent moderate real-world risk within administrative environments.
Domoticz 4.10717 has XSS via item.Name. Rated medium severity (CVSS 5.4), this vulnerability is remotely exploitable, low attack complexity. Public exploit code available.
Domoticz before 4.10579 neglects to categorize \n and \r as insecure argument options. Rated high severity (CVSS 7.5), this vulnerability is remotely exploitable, no authentication required, low attack complexity. Public exploit code available.
Domoticz before 4.10578 allows SQL Injection via the idx parameter in CWebServer::GetFloorplanImage in WebServer.cpp. Rated critical severity (CVSS 9.8), this vulnerability is remotely exploitable, no authentication required, low attack complexity. Public exploit code available.
Domoticz versions prior to 2026.1 contain a stored cross-site scripting (XSS) vulnerability in the web interface's Add Hardware and device rename functionality that allows authenticated administrators to inject arbitrary JavaScript or HTML markup. The injected malicious code is stored persistently and executed in the browsers of any users viewing the affected pages, potentially enabling unauthorized session hijacking or malicious actions performed under the victim's privileges. A patch is available from the vendor, and while this requires administrator-level access to exploit, the persistent nature of the vulnerability and user interaction requirement represent moderate real-world risk within administrative environments.
Domoticz 4.10717 has XSS via item.Name. Rated medium severity (CVSS 5.4), this vulnerability is remotely exploitable, low attack complexity. Public exploit code available.
Domoticz before 4.10579 neglects to categorize \n and \r as insecure argument options. Rated high severity (CVSS 7.5), this vulnerability is remotely exploitable, no authentication required, low attack complexity. Public exploit code available.
Domoticz before 4.10578 allows SQL Injection via the idx parameter in CWebServer::GetFloorplanImage in WebServer.cpp. Rated critical severity (CVSS 9.8), this vulnerability is remotely exploitable, no authentication required, low attack complexity. Public exploit code available.