CVE-2026-1001 MEDIUM

CVE-2026-1001: Domoticz < 2026.1 Stored XSS via Hardware Configuration Endpoint

Vendor Domoticz
Product Domoticz
Weakness CWE-79 · XSS
Published March 25, 2026
Last update May 14, 2026
View on NVD All CVEs

CVSS base score

4.8/10
Attack vector Network
Attack complexity Low
Privileges required High
User interaction
Confidentiality
Integrity

CVSS vector

CVSS:4.0/AV:N/AC:L/AT:N/PR:H/UI:P/VC:N/VI:N/VA:N/SC:L/SI:L/SA:N

What the vulnerability does

01Description

Domoticz versions prior to 2026.1 contain a stored cross-site scripting vulnerability in the Add Hardware and rename device functionality of the web interface that allows authenticated administrators to execute arbitrary scripts by supplying crafted names containing script or HTML markup. Attackers can inject malicious code that is stored and rendered without proper output encoding, causing script execution in the browsers of users viewing the affected page and enabling unauthorized actions within their session context.

Key dates

02Disclosure timeline

March 25, 2026 CVE published
May 14, 2026 Record updated

Related vulnerabilities

04Related CVE

CVE-2023-0295 Launchpad – Coming Soon & Maintenance Mode Plugin <= 1.0.13 - Authenticated (Administrator+) Cross-Site Scripting CVE-2024-0954 Essential Addons for Elementor – Best Elementor Templates, Widgets, Kits & WooCommerce Builders <= 5.9.7 - Authenticated (Contributor+) Stored Cross-Site Scripting CVE-2022-41330 CVE-2024-52858 Adobe Experience Manager | Cross-site Scripting (Stored XSS) (CWE-79) CVE-2022-41941 glpi contains XSS Stored inside Standard Interface Help Link href attribute