CVE-2026-27177
Published: 18 February 2026
Summary
CVE-2026-27177 is a high-severity Cross-site Scripting (CWE-79) vulnerability in Mjdm Majordomo. Its CVSS base score is 7.2 (High).
Operationally, exploitation aligns with the MITRE ATT&CK technique Exploit Public-Facing Application (T1190); ranked at the 14.4th percentile by exploit likelihood (below the median); it is not currently listed in the CISA KEV catalog; a public proof-of-concept is referenced.
Threat & Defense at a Glance
Threat & Defense Details
Likely Mitigating ControlsAI
Per-CVE control mapping for this CVE has not run yet; the list below is derived from the weakness types (CWEs) cited in the NVD entry.
Penetration testing submits XSS payloads to web applications, detecting cross-site scripting flaws for subsequent remediation.
Validates web inputs to reject script-related content that could produce XSS.
Output validation against expected content can reject or sanitize script content in generated web pages, reducing XSS exploitability.
MITRE ATT&CK Enterprise TechniquesAI
Why these techniques?
Stored XSS in unauthenticated public endpoint enables T1190 (exploit of internet-facing app for initial access) and directly facilitates T1185 (browser session hijacking via cookie theft in admin context).
NVD Description
MajorDoMo (aka Major Domestic Module) contains a stored cross-site scripting (XSS) vulnerability via the /objects/?op=set endpoint, which is intentionally unauthenticated for IoT device integration. User-supplied property values are stored raw in the database without sanitization. When an administrator views the…
more
property editor in the admin panel, the stored values are rendered without escaping in both a paragraph tag (SOURCE field) and a textarea element (VALUE field). The XSS fires on page load without requiring any click from the admin. Additionally, the session cookie lacks the HttpOnly flag, enabling session hijack via document.cookie exfiltration. An attacker can enumerate properties via the unauthenticated /api.php/data/ endpoint and poison any property with malicious JavaScript.
Deeper analysisAI
CVE-2026-27177 is a stored cross-site scripting (XSS) vulnerability in MajorDoMo (also known as Major Domestic Module), an open-source home automation and IoT management platform. The issue affects the unauthenticated /objects/?op=set endpoint, which is designed for IoT device integration and accepts user-supplied property values without sanitization, storing them raw in the database. When an administrator accesses the property editor in the admin panel, these values are rendered without escaping in a paragraph tag (SOURCE field) and a textarea element (VALUE field), triggering the XSS payload automatically on page load without user interaction. The vulnerability is rated 7.2 on the CVSS v3.1 scale (AV:N/AC:L/PR:N/UI:N/S:C/C:L/I:L/A:N) and maps to CWE-79.
Any unauthenticated attacker with network access can exploit this vulnerability by enumerating properties through the unauthenticated /api.php/data/ endpoint and injecting malicious JavaScript into any property via the /objects/?op=set endpoint. Upon an administrator viewing the affected property editor, the XSS executes in the admin's browser context, enabling theft of sensitive data. The session cookie lacks the HttpOnly flag, allowing attackers to exfiltrate it via document.cookie for full session hijacking, potentially granting unauthorized admin access to the MajorDoMo instance.
Advisories from VulnCheck and Chocapikk detail the vulnerability and proof-of-concept exploitation, while a patch addressing the sanitization and HttpOnly issues is available in GitHub pull request #1177 for the sergejey/majordomo repository.
Details
- CWE(s)