CVE Catalog

CVE-2026-1001

MediumCVSS 4.8
Published: Updated: Translated: NVD NIST

Exploitation Probability (EPSS)

Low risk
0.21%

11th percentile - higher than 11% of all known CVEs

Summary

Domoticz versions prior to 2026.1 contain a stored cross-site scripting vulnerability in the Add Hardware and rename device functionality. An authenticated administrator can inject malicious code via crafted names containing script or HTML markup, which is stored and executed in the browsers of other users viewing the affected page.

Risk Assessment

An attacker can hijack another administrator's or user's session, perform unauthorized actions within Domoticz, and potentially access sensitive data or disrupt smart home operations.

Recommendation

Upgrade Domoticz to version 2026.1 or later immediately, as it contains a fix for this vulnerability. Additionally, limit the number of administrators and apply the principle of least privilege.

Original NVD description (English source)

Domoticz versions prior to 2026.1 contain a stored cross-site scripting vulnerability in the Add Hardware and rename device functionality of the web interface that allows authenticated administrators to execute arbitrary scripts by supplying crafted names containing script or HTML markup. Attackers can inject malicious code that is stored and rendered without proper output encoding, causing script execution in the browsers of users viewing the affected page and enabling unauthorized actions within their session context.

Vulnerability data from NVD (NIST) · CISA KEV · EPSS