CVE-2026-1001

Name of the Vulnerable Software and Affected Versions Domoticz versions prior to 2026.1

Description Domoticz contains a stored cross-site scripting issue in the Add Hardware and rename device functionality of the web interface. Authenticated administrators can execute arbitrary scripts by providing crafted names containing script or HTML markup. The injected malicious code is stored and rendered without proper output encoding, leading to script execution in the browsers of users viewing the affected page. This allows attackers to perform unauthorized actions within a user's session. The vulnerable functionality involves supplying crafted names.

Recommendations Update Domoticz to version 2026.1 or later.