XSS in Domoticz

CVE-2026-1001

Domoticz versions prior to 2026.1 contain a stored cross-site scripting vulnerability in the Add Hardware and rename device functionality of the web interface that allows authenticated administrators to execute arbitrary scripts by supplyi…

Vulnerability class: XSS (Cross-Site Scripting)

EPSS: 0.001 (22.9th percentile) — read the EPSS interpretation.

Affected products

Domoticz — versions 0

Weakness classification (CWE)

CWE-79 — Cross-site Scripting

References

www.domoticz.com/2026.1/ (release-notes, patch)
www.vulncheck.com/advisories/domoticz-stored-xss-via-hardware-configuration-end… (third-party-advisory)