CVE-2019-10678

HIGH LAB

Domoticz <4.10579 - Info Disclosure

Title source: llm

Exploitation Summary

EIP tracks 2 public exploits for CVE-2019-10678. PoCs published by Fabio Carretto, cved-sources.

AI-analyzed exploit summary This exploit leverages an authentication bypass and command injection vulnerability in Domoticz <= 4.10577. It supports multiple injection modes, including direct command execution, SQL injection for credential theft, and uploading malicious zip files.

Description

Domoticz before 4.10579 neglects to categorize \n and \r as insecure argument options.

Exploits (2)

exploitdb WORKING POC VERIFIED

by Fabio Carretto · pythonwebappsmultiple

https://www.exploit-db.com/exploits/46773

View Code ZIP pw:eip

This exploit leverages an authentication bypass and command injection vulnerability in Domoticz <= 4.10577. It supports multiple injection modes, including direct command execution, SQL injection for credential theft, and uploading malicious zip files.

Classification

Working Poc 95%

Attack Type

Rce | Auth Bypass | Sqli

Complexity

Moderate

Reliability

Reliable

Target: Domoticz <= 4.10577

No auth needed

Prerequisites: Network access to the target Domoticz instance · No authentication or login page required (Basic-Auth setting not enabled)

MITRE ATT&CK

T1190 - Exploit Public-Facing Application T1059 - Command and Scripting Interpreter T1078 - Valid Accounts

devstral-2 · analyzed Feb 16, 2026 Full analysis →

nomisec STUB 1 stars

by cved-sources · poc

https://github.com/cved-sources/cve-2019-10678

View Code ZIP pw:eip

This repository contains only a Dockerfile and a README, with no actual exploit code or technical details about CVE-2019-10678. It appears to be a placeholder for a vulnerable Docker container setup.

Classification

Stub 90%

Attack Type

Other

Complexity

Trivial

Reliability

Theoretical

Target: Domoticz (version not specified)

No auth needed

Prerequisites: Docker environment

devstral-2 · analyzed Feb 19, 2026 Full analysis →

References (3)

Core 3

Core References

Patch, Third Party Advisory x_refsource_misc

https://github.com/domoticz/domoticz/commit/2119afbe74ee0c914c1d5c4c859c594c08b0ad42

View Patch ZIP pw:eip

Exploit, Third Party Advisory, VDB Entry exploit x_refsource_exploit-db

https://www.exploit-db.com/exploits/46773/

Exploit, Third Party Advisory, VDB Entry x_refsource_misc

http://packetstormsecurity.com/files/152678/Domoticz-4.10577-Unauthenticated-Remote-Command-Execution.html

Scores

CVSS v3 7.5

EPSS 0.1727

EPSS Percentile 96.7%

Attack Vector NETWORK

CVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:H/A:N

Lab Environment

COMMUNITY

Community Lab

docker pull joshuacox/mkdomoticz:stretch

https://github.com/cved-sources/cve-2019-10678

https://github.com/domoticz/domoticz

View in Library

Details

CWE

CWE-93

Status published

Products (1)

domoticz/domoticz < 4.10579

Published Mar 31, 2019

Tracked Since Feb 18, 2026