CVE-2019-10664

CRITICAL

domoticz < 4.10578 - Unauthenticated SQL Injection via idx Parameter in CWebServer::GetFloorplanImage

Title source: llm
STIX 2.1

Exploitation Summary

EIP tracks 1 public exploit for CVE-2019-10664. PoCs published by Fabio Carretto.

AI-analyzed exploit summary This exploit leverages an authentication bypass and command injection vulnerability in Domoticz <= 4.10577. It supports multiple injection modes, including direct command execution, SQL injection for credential theft, and uploading malicious zip files.

Description

Domoticz before 4.10578 allows SQL Injection via the idx parameter in CWebServer::GetFloorplanImage in WebServer.cpp.

Exploits (1)

exploitdb WORKING POC VERIFIED
by Fabio Carretto · pythonwebappsmultiple
https://www.exploit-db.com/exploits/46773

This exploit leverages an authentication bypass and command injection vulnerability in Domoticz <= 4.10577. It supports multiple injection modes, including direct command execution, SQL injection for credential theft, and uploading malicious zip files.

Classification
Working Poc 95%
Attack Type
Rce | Auth Bypass | Sqli
Complexity
Moderate
Reliability
Reliable
Target: Domoticz <= 4.10577
No auth needed
Prerequisites: Network access to the target Domoticz instance · No authentication or login page required (Basic-Auth setting not enabled)
devstral-2 · analyzed Feb 16, 2026 Full analysis →

References (3)

Core 3
Core References
Third Party Advisory, VDB Entry exploit x_refsource_exploit-db
https://www.exploit-db.com/exploits/46773/

Scores

CVSS v3 9.8
EPSS 0.0755
EPSS Percentile 93.7%
Attack Vector NETWORK
CVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H

Details

CWE
CWE-89
Status published
Products (1)
domoticz/domoticz < 4.10578
Published Mar 31, 2019
Tracked Since Feb 18, 2026