CVE-2026-1001
MediumCVSS 4.8Exploitation Probability (EPSS)
Low risk11th percentile - higher than 11% of all known CVEs
Summary
Domoticz versions prior to 2026.1 contain a stored cross-site scripting vulnerability in the Add Hardware and rename device functionality. An authenticated administrator can inject malicious code via crafted names containing script or HTML markup, which is stored and executed in the browsers of other users viewing the affected page.
Risk Assessment
An attacker can hijack another administrator's or user's session, perform unauthorized actions within Domoticz, and potentially access sensitive data or disrupt smart home operations.
Recommendation
Upgrade Domoticz to version 2026.1 or later immediately, as it contains a fix for this vulnerability. Additionally, limit the number of administrators and apply the principle of least privilege.
Original NVD description (English source)
Domoticz versions prior to 2026.1 contain a stored cross-site scripting vulnerability in the Add Hardware and rename device functionality of the web interface that allows authenticated administrators to execute arbitrary scripts by supplying crafted names containing script or HTML markup. Attackers can inject malicious code that is stored and rendered without proper output encoding, causing script execution in the browsers of users viewing the affected page and enabling unauthorized actions within their session context.

