{"dataType": "CVE_RECORD", "dataVersion": "5.2", "cveMetadata": {"cveId": "CVE-2026-1001", "assignerOrgId": "83251b91-4cc7-4094-a5c7-464a1b83ea10", "state": "PUBLISHED", "assignerShortName": "VulnCheck", "dateReserved": "2026-01-15T17:20:31.714Z", "datePublished": "2026-03-25T18:12:52.519Z", "dateUpdated": "2026-05-14T02:09:02.555Z"}, "containers": {"cna": {"providerMetadata": {"orgId": "83251b91-4cc7-4094-a5c7-464a1b83ea10", "shortName": "VulnCheck", "dateUpdated": "2026-05-14T02:09:02.555Z"}, "title": "Domoticz < 2026.1 Stored XSS via Hardware Configuration Endpoint", "problemTypes": [{"descriptions": [{"lang": "en", "cweId": "CWE-79", "description": "CWE-79 Improper Neutralization of Input During Web Page Generation (XSS or 'Cross-site Scripting')", "type": "CWE"}]}], "affected": [{"vendor": "Domoticz", "product": "Domoticz", "repo": "https://github.com/domoticz/domoticz", "versions": [{"status": "affected", "version": "0", "lessThan": "2026.1", "versionType": "custom"}], "defaultStatus": "unaffected"}], "descriptions": [{"lang": "en", "value": "Domoticz versions prior to 2026.1 contain a stored cross-site scripting vulnerability in the Add Hardware and rename device functionality of the web interface that allows authenticated administrators to execute arbitrary scripts by supplying crafted names containing script or HTML markup. Attackers can inject malicious code that is stored and rendered without proper output encoding, causing script execution in the browsers of users viewing the affected page and enabling unauthorized actions within their session context.", "supportingMedia": [{"type": "text/html", "base64": false, "value": "Domoticz versions prior to 2026.1 contain a stored cross-site scripting vulnerability in the Add Hardware and rename device functionality of the web interface that allows authenticated administrators to execute arbitrary scripts by supplying crafted names containing script or HTML markup. Attackers can inject malicious code that is stored and rendered without proper output encoding, causing script execution in the browsers of users viewing the affected page and enabling unauthorized actions within their session context.<br>"}]}], "references": [{"url": "https://www.domoticz.com/2026.1/", "tags": ["release-notes", "patch"]}, {"url": "https://www.vulncheck.com/advisories/domoticz-stored-xss-via-hardware-configuration-endpoint", "tags": ["third-party-advisory"]}], "metrics": [{"format": "CVSS", "scenarios": [{"lang": "en", "value": "GENERAL"}], "cvssV4_0": {"attackVector": "NETWORK", "attackComplexity": "LOW", "attackRequirements": "NONE", "privilegesRequired": "HIGH", "userInteraction": "PASSIVE", "vulnConfidentialityImpact": "NONE", "subConfidentialityImpact": "LOW", "vulnIntegrityImpact": "NONE", "subIntegrityImpact": "LOW", "vulnAvailabilityImpact": "NONE", "subAvailabilityImpact": "NONE", "exploitMaturity": "NOT_DEFINED", "Safety": "NOT_DEFINED", "Automatable": "NOT_DEFINED", "Recovery": "NOT_DEFINED", "valueDensity": "NOT_DEFINED", "vulnerabilityResponseEffort": "NOT_DEFINED", "providerUrgency": "NOT_DEFINED", "version": "4.0", "baseSeverity": "MEDIUM", "baseScore": 4.8, "vectorString": "CVSS:4.0/AV:N/AC:L/AT:N/PR:H/UI:P/VC:N/VI:N/VA:N/SC:L/SI:L/SA:N"}}], "credits": [{"lang": "en", "value": "Kacper Leszczy\u0144ski", "type": "finder"}], "source": {"discovery": "EXTERNAL"}, "x_generator": {"engine": "Vulnogram 0.5.0"}}, "adp": [{"metrics": [{"other": {"type": "ssvc", "content": {"timestamp": "2026-03-25T20:06:40.255817Z", "id": "CVE-2026-1001", "options": [{"Exploitation": "none"}, {"Automatable": "no"}, {"Technical Impact": "partial"}], "role": "CISA Coordinator", "version": "2.0.3"}}}], "title": "CISA ADP Vulnrichment", "providerMetadata": {"orgId": "134c704f-9b21-4f2e-91b3-4a467353bcc0", "shortName": "CISA-ADP", "dateUpdated": "2026-03-25T20:07:15.644Z"}}]}}

{"dataType": "CVE_RECORD", "containers": {"adp": [{"title": "CISA ADP Vulnrichment", "metrics": [{"other": {"type": "ssvc", "content": {"id": "CVE-2026-1001", "role": "CISA Coordinator", "options": [{"Exploitation": "none"}, {"Automatable": "no"}, {"Technical Impact": "partial"}], "version": "2.0.3", "timestamp": "2026-03-25T20:06:40.255817Z"}}}], "providerMetadata": {"orgId": "134c704f-9b21-4f2e-91b3-4a467353bcc0", "shortName": "CISA-ADP", "dateUpdated": "2026-03-25T20:07:07.581Z"}}], "cna": {"title": "Domoticz < 2026.1 Stored XSS via Hardware Configuration Endpoint", "source": {"discovery": "EXTERNAL"}, "credits": [{"lang": "en", "type": "finder", "value": "Kacper Leszczy\u0144ski"}], "metrics": [{"format": "CVSS", "cvssV4_0": {"Safety": "NOT_DEFINED", "version": "4.0", "Recovery": "NOT_DEFINED", "baseScore": 4.8, "Automatable": "NOT_DEFINED", "attackVector": "NETWORK", "baseSeverity": "MEDIUM", "valueDensity": "NOT_DEFINED", "vectorString": "CVSS:4.0/AV:N/AC:L/AT:N/PR:H/UI:P/VC:N/VI:N/VA:N/SC:L/SI:L/SA:N", "exploitMaturity": "NOT_DEFINED", "providerUrgency": "NOT_DEFINED", "userInteraction": "PASSIVE", "attackComplexity": "LOW", "attackRequirements": "NONE", "privilegesRequired": "HIGH", "subIntegrityImpact": "LOW", "vulnIntegrityImpact": "NONE", "subAvailabilityImpact": "NONE", "vulnAvailabilityImpact": "NONE", "subConfidentialityImpact": "LOW", "vulnConfidentialityImpact": "NONE", "vulnerabilityResponseEffort": "NOT_DEFINED"}, "scenarios": [{"lang": "en", "value": "GENERAL"}]}], "affected": [{"repo": "https://github.com/domoticz/domoticz", "vendor": "Domoticz", "product": "Domoticz", "versions": [{"status": "affected", "version": "0", "lessThan": "2026.1", "versionType": "custom"}], "defaultStatus": "unaffected"}], "references": [{"url": "https://www.domoticz.com/2026.1/", "tags": ["release-notes", "patch"]}, {"url": "https://www.vulncheck.com/advisories/domoticz-stored-xss-via-hardware-configuration-endpoint", "tags": ["third-party-advisory"]}], "x_generator": {"engine": "Vulnogram 0.5.0"}, "descriptions": [{"lang": "en", "value": "Domoticz versions prior to 2026.1 contain a stored cross-site scripting vulnerability in the Add Hardware and rename device functionality of the web interface that allows authenticated administrators to execute arbitrary scripts by supplying crafted names containing script or HTML markup. Attackers can inject malicious code that is stored and rendered without proper output encoding, causing script execution in the browsers of users viewing the affected page and enabling unauthorized actions within their session context.", "supportingMedia": [{"type": "text/html", "value": "Domoticz versions prior to 2026.1 contain a stored cross-site scripting vulnerability in the Add Hardware and rename device functionality of the web interface that allows authenticated administrators to execute arbitrary scripts by supplying crafted names containing script or HTML markup. Attackers can inject malicious code that is stored and rendered without proper output encoding, causing script execution in the browsers of users viewing the affected page and enabling unauthorized actions within their session context.<br>", "base64": false}]}], "problemTypes": [{"descriptions": [{"lang": "en", "type": "CWE", "cweId": "CWE-79", "description": "CWE-79 Improper Neutralization of Input During Web Page Generation (XSS or 'Cross-site Scripting')"}]}], "providerMetadata": {"orgId": "83251b91-4cc7-4094-a5c7-464a1b83ea10", "shortName": "VulnCheck", "dateUpdated": "2026-05-14T02:09:02.555Z"}}}, "cveMetadata": {"cveId": "CVE-2026-1001", "state": "PUBLISHED", "dateUpdated": "2026-05-14T02:09:02.555Z", "dateReserved": "2026-01-15T17:20:31.714Z", "assignerOrgId": "83251b91-4cc7-4094-a5c7-464a1b83ea10", "datePublished": "2026-03-25T18:12:52.519Z", "assignerShortName": "VulnCheck"}, "dataVersion": "5.2"}

{"configurations": [{"nodes": [{"cpeMatch": [{"criteria": "cpe:2.3:a:domoticz:domoticz:*:*:*:*:*:*:*:*", "matchCriteriaId": "F48762BB-8D65-422C-A9C5-0B4F4EB9121C", "versionEndExcluding": "2026.1", "vulnerable": true}], "negate": false, "operator": "OR"}]}], "cveTags": [], "descriptions": [{"lang": "en", "value": "Domoticz versions prior to 2026.1 contain a stored cross-site scripting vulnerability in the Add Hardware and rename device functionality of the web interface that allows authenticated administrators to execute arbitrary scripts by supplying crafted names containing script or HTML markup. Attackers can inject malicious code that is stored and rendered without proper output encoding, causing script execution in the browsers of users viewing the affected page and enabling unauthorized actions within their session context."}, {"lang": "es", "value": "Las versiones de Domoticz anteriores a 2026.1 contienen una vulnerabilidad de cross-site scripting almacenado en la funcionalidad Add Hardware y rename device de la interfaz web que permite a los administradores autenticados ejecutar scripts arbitrarios al proporcionar nombres manipulados que contienen scripts o marcado HTML. Los atacantes pueden inyectar c\u00f3digo malicioso que se almacena y se renderiza sin una codificaci\u00f3n de salida adecuada, provocando la ejecuci\u00f3n de scripts en los navegadores de los usuarios que visualizan la p\u00e1gina afectada y permitiendo acciones no autorizadas dentro del contexto de su sesi\u00f3n."}], "id": "CVE-2026-1001", "lastModified": "2026-04-01T15:42:23.520", "metrics": {"cvssMetricV31": [{"cvssData": {"attackComplexity": "LOW", "attackVector": "NETWORK", "availabilityImpact": "NONE", "baseScore": 4.8, "baseSeverity": "MEDIUM", "confidentialityImpact": "LOW", "integrityImpact": "LOW", "privilegesRequired": "HIGH", "scope": "CHANGED", "userInteraction": "REQUIRED", "vectorString": "CVSS:3.1/AV:N/AC:L/PR:H/UI:R/S:C/C:L/I:L/A:N", "version": "3.1"}, "exploitabilityScore": 1.7, "impactScore": 2.7, "source": "nvd@nist.gov", "type": "Primary"}], "cvssMetricV40": [{"cvssData": {"Automatable": "NOT_DEFINED", "Recovery": "NOT_DEFINED", "Safety": "NOT_DEFINED", "attackComplexity": "LOW", "attackRequirements": "NONE", "attackVector": "NETWORK", "availabilityRequirement": "NOT_DEFINED", "baseScore": 4.8, "baseSeverity": "MEDIUM", "confidentialityRequirement": "NOT_DEFINED", "exploitMaturity": "NOT_DEFINED", "integrityRequirement": "NOT_DEFINED", "modifiedAttackComplexity": "NOT_DEFINED", "modifiedAttackRequirements": "NOT_DEFINED", "modifiedAttackVector": "NOT_DEFINED", "modifiedPrivilegesRequired": "NOT_DEFINED", "modifiedSubAvailabilityImpact": "NOT_DEFINED", "modifiedSubConfidentialityImpact": "NOT_DEFINED", "modifiedSubIntegrityImpact": "NOT_DEFINED", "modifiedUserInteraction": "NOT_DEFINED", "modifiedVulnAvailabilityImpact": "NOT_DEFINED", "modifiedVulnConfidentialityImpact": "NOT_DEFINED", "modifiedVulnIntegrityImpact": "NOT_DEFINED", "privilegesRequired": "HIGH", "providerUrgency": "NOT_DEFINED", "subAvailabilityImpact": "NONE", "subConfidentialityImpact": "LOW", "subIntegrityImpact": "LOW", "userInteraction": "PASSIVE", "valueDensity": "NOT_DEFINED", "vectorString": "CVSS:4.0/AV:N/AC:L/AT:N/PR:H/UI:P/VC:N/VI:N/VA:N/SC:L/SI:L/SA:N/E:X/CR:X/IR:X/AR:X/MAV:X/MAC:X/MAT:X/MPR:X/MUI:X/MVC:X/MVI:X/MVA:X/MSC:X/MSI:X/MSA:X/S:X/AU:X/R:X/V:X/RE:X/U:X", "version": "4.0", "vulnAvailabilityImpact": "NONE", "vulnConfidentialityImpact": "NONE", "vulnIntegrityImpact": "NONE", "vulnerabilityResponseEffort": "NOT_DEFINED"}, "source": "disclosure@vulncheck.com", "type": "Secondary"}]}, "published": "2026-03-25T19:16:30.207", "references": [{"source": "disclosure@vulncheck.com", "tags": ["Release Notes"], "url": "https://www.domoticz.com/2026.1/"}, {"source": "disclosure@vulncheck.com", "tags": ["Third Party Advisory"], "url": "https://www.vulncheck.com/advisories/domoticz-stored-xss-via-hardware-configuration-endpoint"}], "sourceIdentifier": "disclosure@vulncheck.com", "vulnStatus": "Analyzed", "weaknesses": [{"description": [{"lang": "en", "value": "CWE-79"}], "source": "disclosure@vulncheck.com", "type": "Primary"}]}

{"bugzilla": {"description": "Domoticz: Domoticz: Arbitrary script execution via stored cross-site scripting in web interface", "id": "2451432", "url": "https://bugzilla.redhat.com/show_bug.cgi?id=2451432"}, "csaw": false, "cvss3": {"cvss3_base_score": "4.8", "cvss3_scoring_vector": "CVSS:3.1/AV:N/AC:L/PR:H/UI:R/S:C/C:L/I:L/A:N", "status": "draft"}, "cwe": "CWE-79", "details": ["A flaw was found in Domoticz. This stored cross-site scripting (XSS) vulnerability allows authenticated administrators to execute arbitrary scripts. By supplying crafted names containing script or HTML markup in the 'Add Hardware' and 'rename device' functionalities, attackers can inject malicious code. This code is then stored and rendered without proper output encoding, leading to script execution in the browsers of users viewing the affected page and enabling unauthorized actions within their session context."], "name": "CVE-2026-1001", "public_date": "2026-03-25T18:12:52Z", "references": ["https://www.cve.org/CVERecord?id=CVE-2026-1001\nhttps://nvd.nist.gov/vuln/detail/CVE-2026-1001\nhttps://www.domoticz.com/2026.1/\nhttps://www.vulncheck.com/advisories/domoticz-stored-xss-via-hardware-configuration-endpoint"], "statement": "This LOW stored XSS vulnerability in Domoticz requires administrator privileges to inject malicious scripts (PR:H) and user interaction to trigger (UI:R). The scope is changed as scripts execute in the victim's browser context. Impact is low to confidentiality and integrity through session hijacking or unauthorized actions. Affects versions prior to 2026.1.", "threat_severity": "Low"}

{"affected": [{"configurations": [{"platform": null, "status": "affected", "versions": {"scheme": "semver", "value": "[0,2026.1)"}}], "enrichment": {"confidence": 100.0, "confidence_source": "matching", "scores": [{"score": 100.0, "source": "matching"}]}, "original": {"product": "Domoticz", "source": "cna", "vendor": "Domoticz"}, "product": "domoticz", "vendor": "domoticz"}], "analysis": {"en": {"generated_at": "2026-04-02T02:58:57.514123+00:00", "value": {"mitigation_remediation": ["Upgrade Domoticz to version 2026.1 or later."], "summary": {"action": "Apply Patch", "impact": "Stored Cross\u2011Site Scripting that allows authenticated administrators to execute arbitrary scripts in users\u2019 browsers"}, "threat_synthesis": {"affected_systems": "Any Domoticz installation running a version older than 2026.1 is affected. The flaw resides in the hardware configuration endpoint and applies to all deployments that expose the Add Hardware and rename device functionality to administrators.", "description_and_impact": "The vulnerability is a stored cross\u2011site scripting flaw in the Add Hardware and rename device functions of the Domoticz web interface. Attackers can supply specially crafted names containing script or HTML markup that is stored and rendered without proper output encoding. When a user views the affected page, the malicious script runs in the user\u2019s browser with the privileges of that user, enabling unauthorized actions within the user\u2019s session context.", "risk_and_exploitability": "The CVSS score of 4.8 indicates moderate severity, and the very low EPSS score (<1%) suggests the likelihood of exploitation is currently limited. However, because the flaw requires authenticated administrator access, any compromise of those credentials or an insider threat could allow exploitation. The vulnerability is not listed in the CISA KEV catalog, reflecting its current lack of widespread active exploitation."}}}}, "created": "2026-03-25T21:46:30.062391+00:00", "updated": "2026-04-02T07:59:05.960081+00:00", "vendors": ["domoticz", "domoticz$PRODUCT$domoticz"]}