Description
Domoticz versions prior to 2026.1 contain a stored cross-site scripting vulnerability in the Add Hardware and rename device functionality of the web interface that allows authenticated administrators to execute arbitrary scripts by supplying crafted names containing script or HTML markup. Attackers can inject malicious code that is stored and rendered without proper output encoding, causing script execution in the browsers of users viewing the affected page and enabling unauthorized actions within their session context.
Published: 2026-03-25
Score: 4.8 Medium
EPSS: < 1% Very Low
KEV: No
Impact: Stored Cross‑Site Scripting that allows authenticated administrators to execute arbitrary scripts in users’ browsers
Action: Apply Patch
AI Analysis

Impact

The vulnerability is a stored cross‑site scripting flaw in the Add Hardware and rename device functions of the Domoticz web interface. Attackers can supply specially crafted names containing script or HTML markup that is stored and rendered without proper output encoding. When a user views the affected page, the malicious script runs in the user’s browser with the privileges of that user, enabling unauthorized actions within the user’s session context.

Affected Systems

Any Domoticz installation running a version older than 2026.1 is affected. The flaw resides in the hardware configuration endpoint and applies to all deployments that expose the Add Hardware and rename device functionality to administrators.

Risk and Exploitability

The CVSS score of 4.8 indicates moderate severity, and the very low EPSS score (<1%) suggests the likelihood of exploitation is currently limited. However, because the flaw requires authenticated administrator access, any compromise of those credentials or an insider threat could allow exploitation. The vulnerability is not listed in the CISA KEV catalog, reflecting its current lack of widespread active exploitation.

Generated by OpenCVE AI on April 2, 2026 at 02:58 UTC.

Remediation

No vendor fix or workaround currently provided.

OpenCVE Recommended Actions

  • Upgrade Domoticz to version 2026.1 or later.

Generated by OpenCVE AI on April 2, 2026 at 02:58 UTC.

Tracking

Sign in to view the affected projects.

Advisories

No advisories yet.

History

Wed, 01 Apr 2026 23:45:00 +0000

Type Values Removed Values Added
CPEs cpe:2.3:a:domoticz:domoticz:*:*:*:*:*:*:*:*

Thu, 26 Mar 2026 12:00:00 +0000

Type Values Removed Values Added
First Time appeared Domoticz
Domoticz domoticz
Vendors & Products Domoticz
Domoticz domoticz

Thu, 26 Mar 2026 00:15:00 +0000

Type Values Removed Values Added
References
Metrics threat_severity

None

 cvssV3_1

{'score': 4.8, 'vector': 'CVSS:3.1/AV:N/AC:L/PR:H/UI:R/S:C/C:L/I:L/A:N'}

threat_severity

Low

Wed, 25 Mar 2026 21:15:00 +0000

Type Values Removed Values Added
Metrics ssvc

{'options': {'Automatable': 'no', 'Exploitation': 'none', 'Technical Impact': 'partial'}, 'version': '2.0.3'}

Wed, 25 Mar 2026 18:15:00 +0000

Type Values Removed Values Added
Description Domoticz versions prior to 2026.1 contain a stored cross-site scripting vulnerability in the Add Hardware and rename device functionality of the web interface that allows authenticated administrators to execute arbitrary scripts by supplying crafted names containing script or HTML markup. Attackers can inject malicious code that is stored and rendered without proper output encoding, causing script execution in the browsers of users viewing the affected page and enabling unauthorized actions within their session context.
Title Domoticz < 2026.1 Stored XSS via Hardware Configuration Endpoint
Weaknesses CWE-79
References
Metrics cvssV4_0

{'score': 4.8, 'vector': 'CVSS:4.0/AV:N/AC:L/AT:N/PR:H/UI:P/VC:N/VI:N/VA:N/SC:L/SI:L/SA:N'}

Subscriptions

Domoticz Domoticz
cve-icon MITRE

Status: PUBLISHED

Assigner: VulnCheck

Published:

Updated: 2026-03-25T20:07:15.644Z

Reserved: 2026-01-15T17:20:31.714Z

Link: CVE-2026-1001

cve-icon Vulnrichment

Updated: 2026-03-25T20:07:07.581Z

cve-icon NVD

Status : Analyzed

Published: 2026-03-25T19:16:30.207

Modified: 2026-04-01T15:42:23.520

Link: CVE-2026-1001

cve-icon Redhat

Severity : Low

Publid Date: 2026-03-25T18:12:52Z

Links: CVE-2026-1001 - Bugzilla

cve-icon OpenCVE Enrichment

Updated: 2026-04-02T07:59:05Z

Weaknesses