domoticz CVE Vulnerabilities & Metrics

Focus on domoticz vulnerabilities and metrics.

Last updated: 16 Apr 2026, 22:25 UTC

About domoticz Security Exposure

This page consolidates all known Common Vulnerabilities and Exposures (CVEs) associated with domoticz. We track both calendar-based metrics (using fixed periods) and rolling metrics (using gliding windows) to give you a comprehensive view of security trends and risk evolution. Use these insights to assess risk and plan your patching strategy.

For a broader perspective on cybersecurity threats, explore the comprehensive list of CVEs by vendor and product. Stay updated on critical vulnerabilities affecting major software and hardware providers.

Global CVE Overview

Total domoticz CVEs: 5
Earliest CVE date: 31 Mar 2019, 14:29 UTC
Latest CVE date: 25 Mar 2026, 19:16 UTC

Latest CVE reference: CVE-2026-1001

Rolling Stats

30-day Count (Rolling): 1
365-day Count (Rolling): 1

Calendar-based Variation

Calendar-based Variation compares a fixed calendar period (e.g., this month versus the same month last year), while Rolling Growth Rate uses a continuous window (e.g., last 30 days versus the previous 30 days) to capture trends independent of calendar boundaries.

Variations & Growth

Month Variation (Calendar): 0%
Year Variation (Calendar): 0%

Month Growth Rate (30-day Rolling): 0.0%
Year Growth Rate (365-day Rolling): 0.0%

Monthly CVE Trends (current vs previous Year)

Annual CVE Trends (Last 20 Years)

Critical domoticz CVEs (CVSS ≥ 9) Over 20 Years

CVSS Stats

Average CVSS: 4.2

Max CVSS: 7.5

Critical CVEs (≥9): 0

CVSS Range vs. Count

Range	Count
0.0-3.9	2
4.0-6.9	2
7.0-8.9	1
9.0-10.0	0

CVSS Distribution Chart

Top 5 Highest CVSS domoticz CVEs

These are the five CVEs with the highest CVSS scores for domoticz, sorted by severity first and recency.

CVE-2019-10664 domoticz Published on 31 Mar 2019, 14:29 UTC (CVSS: 7.5)
Domoticz before 4.10578 allows SQL Injection via the idx parameter in CWebServer::GetFloorplanImage in WebServer.cpp.
CVE-2020-21990 domoticz Published on 29 Apr 2021, 14:15 UTC (CVSS: 5.0)
Emmanuel MyDomoAtHome (MDAH) REST API REST API Domoticz ISS Gateway 0.2.40 is affected by an information disclosure vulnerability due to improper access control enforcement. An unauthenticated remote attacker can exploit this, via a specially crafted request to gain access to sensitive information.
CVE-2019-10678 domoticz Published on 31 Mar 2019, 21:29 UTC (CVSS: 5.0)
Domoticz before 4.10579 neglects to categorize \n and \r as insecure argument options.
CVE-2019-15480 domoticz Published on 23 Aug 2019, 13:15 UTC (CVSS: 3.5)
Domoticz 4.10717 has XSS via item.Name.
CVE-2026-1001 domoticz Published on 25 Mar 2026, 19:16 UTC (CVSS: 0)
Domoticz versions prior to 2026.1 contain a stored cross-site scripting vulnerability in the Add Hardware and rename device functionality of the web interface that allows authenticated administrators to execute arbitrary scripts by supplying crafted names containing script or HTML markup. Attackers can inject malicious code that is stored and rendered without proper output encoding, causing scr...

All CVEs for domoticz

CVE-2026-1001 domoticz vulnerability CVSS: 0 25 Mar 2026, 19:16 UTC

Domoticz versions prior to 2026.1 contain a stored cross-site scripting vulnerability in the Add Hardware and rename device functionality of the web interface that allows authenticated administrators to execute arbitrary scripts by supplying crafted names containing script or HTML markup. Attackers can inject malicious code that is stored and rendered without proper output encoding, causing script execution in the browsers of users viewing the affected page and enabling unauthorized actions within their session context.

CVE-2020-21990 domoticz vulnerability CVSS: 5.0 29 Apr 2021, 14:15 UTC

Emmanuel MyDomoAtHome (MDAH) REST API REST API Domoticz ISS Gateway 0.2.40 is affected by an information disclosure vulnerability due to improper access control enforcement. An unauthenticated remote attacker can exploit this, via a specially crafted request to gain access to sensitive information.

CVE-2019-15480 domoticz vulnerability CVSS: 3.5 23 Aug 2019, 13:15 UTC

Domoticz 4.10717 has XSS via item.Name.

CVE-2019-10678 domoticz vulnerability CVSS: 5.0 31 Mar 2019, 21:29 UTC

Domoticz before 4.10579 neglects to categorize \n and \r as insecure argument options.

CVE-2019-10664 domoticz vulnerability CVSS: 7.5 31 Mar 2019, 14:29 UTC

Domoticz before 4.10578 allows SQL Injection via the idx parameter in CWebServer::GetFloorplanImage in WebServer.cpp.