CVE-2026-1001

UNKNOWN 0.0

Domoticz < 2026.1 Stored XSS via Hardware Configuration Endpoint

CVSS Score

0.0

EPSS Score

0.0%

EPSS Percentile

0th

Domoticz versions prior to 2026.1 contain a stored cross-site scripting vulnerability in the Add Hardware and rename device functionality of the web interface that allows authenticated administrators to execute arbitrary scripts by supplying crafted names containing script or HTML markup. Attackers can inject malicious code that is stored and rendered without proper output encoding, causing script execution in the browsers of users viewing the affected page and enabling unauthorized actions within their session context.

CWE	CWE-79
Vendor	domoticz
Product	domoticz
Published	Mar 25, 2026
Last Updated	Mar 25, 2026

Stay Ahead of the Next One

Get instant alerts for domoticz domoticz

Be the first to know when new unknown vulnerabilities affecting domoticz domoticz are published — delivered to Slack, Telegram or Discord.

Get Free Alerts → Free · No credit card · 60 sec setup

Affected Versions

Domoticz / Domoticz

0 < 2026.1

References

NVD ↗ CVE.org ↗ EPSS Data ↗

domoticz.com: https://www.domoticz.com/2026.1/ vulncheck.com: https://www.vulncheck.com/advisories/domoticz-stored-xss-via-hardware-configuration-endpoint

Credits

Kacper Leszczyński