CVE-2026-27177
Published: 18 February 2026
Summary
CVE-2026-27177 is a medium-severity Cross-site Scripting (CWE-79) vulnerability in Mjdm Majordomo. Its CVSS base score is 5.3 (Medium).
Operationally, exploitation aligns with the MITRE ATT&CK technique Exploit Public-Facing Application (T1190); ranked at the 14.9th percentile by exploit likelihood (below the median); it is not currently listed in the CISA KEV catalog; a public proof-of-concept is referenced.
The strongest mitigations our analysis identified are NIST 800-53 SI-10 (Information Input Validation) and SI-15 (Information Output Filtering).
Deeper analysis
CVE-2026-27177 is a stored cross-site scripting (XSS) vulnerability in MajorDoMo (also known as Major Domestic Module), an open-source home automation and IoT management platform. The issue affects the unauthenticated /objects/?op=set endpoint, which is designed for IoT device integration and accepts user-supplied property values without sanitization, storing them raw in the database. When an administrator accesses the property editor in the admin panel, these values are rendered without escaping in a paragraph tag (SOURCE field) and a textarea element (VALUE field), triggering the XSS payload automatically on page load without user interaction. The vulnerability is rated 7.2 on the CVSS v3.1 scale (AV:N/AC:L/PR:N/UI:N/S:C/C:L/I:L/A:N) and maps to CWE-79.
Any unauthenticated attacker with network access can exploit this vulnerability by enumerating properties through the unauthenticated /api.php/data/ endpoint and injecting malicious JavaScript into any property via the /objects/?op=set endpoint. Upon an administrator viewing the affected property editor, the XSS executes in the admin's browser context, enabling theft of sensitive data. The session cookie lacks the HttpOnly flag, allowing attackers to exfiltrate it via document.cookie for full session hijacking, potentially granting unauthorized admin access to the MajorDoMo instance.
Advisories from VulnCheck and Chocapikk detail the vulnerability and proof-of-concept exploitation, while a patch addressing the sanitization and HttpOnly issues is available in GitHub pull request #1177 for the sergejey/majordomo repository.
EU & UK References
- 🇪🇺 ENISA EUVD: EUVD-2026-8389
Vulnerability details
MajorDoMo (aka Major Domestic Module) contains a stored cross-site scripting (XSS) vulnerability via the /objects/?op=set endpoint, which is intentionally unauthenticated for IoT device integration. User-supplied property values are stored raw in the database without sanitization. When an administrator views the…
more
property editor in the admin panel, the stored values are rendered without escaping in both a paragraph tag (SOURCE field) and a textarea element (VALUE field). The XSS fires on page load without requiring any click from the admin. Additionally, the session cookie lacks the HttpOnly flag, enabling session hijack via document.cookie exfiltration. An attacker can enumerate properties via the unauthenticated /api.php/data/ endpoint and poison any property with malicious JavaScript.
- CWE(s)
Related Threats
MITRE ATT&CK Enterprise TechniquesAI
Why these techniques?
Stored XSS in unauthenticated public endpoint enables T1190 (exploit of internet-facing app for initial access) and directly facilitates T1185 (browser session hijacking via cookie theft in admin context).
CVEs Like This One
Affected Assets
Mitigating Controls
Mitigating Controls (NIST 800-53 r5) AI
Requires validation and sanitization of all input received at the unauthenticated /objects/?op=set endpoint before values are stored in the database.
Mandates output filtering/escaping of stored property values when rendered in the admin panel's SOURCE paragraph and VALUE textarea, directly blocking XSS execution.
Enforces secure configuration settings such as the HttpOnly flag on session cookies, preventing exfiltration via document.cookie after XSS fires.