CVE-2026-27177
Received Received - Intake
Stored XSS and Session Hijack in MajorDoMo IoT Endpoint

Publication date: 2026-02-18

Last updated on: 2026-02-20

Assigner: VulnCheck

Description
MajorDoMo (aka Major Domestic Module) contains a stored cross-site scripting (XSS) vulnerability via the /objects/?op=set endpoint, which is intentionally unauthenticated for IoT device integration. User-supplied property values are stored raw in the database without sanitization. When an administrator views the property editor in the admin panel, the stored values are rendered without escaping in both a paragraph tag (SOURCE field) and a textarea element (VALUE field). The XSS fires on page load without requiring any click from the admin. Additionally, the session cookie lacks the HttpOnly flag, enabling session hijack via document.cookie exfiltration. An attacker can enumerate properties via the unauthenticated /api.php/data/ endpoint and poison any property with malicious JavaScript.
CVSS Scores
EPSS Scores
Probability:
Percentile:
Meta Information
Published
2026-02-18
Last Modified
2026-02-20
Generated
2026-05-07
AI Q&A
2026-02-19
EPSS Evaluated
2026-05-05
NVD
CVE-2026-27177
EUVD
EUVD-2026-8389
Affected Vendors & Products
Showing 1 associated CPE
Vendor Product Version / Range
mjdm majordomo *
Helpful Resources
Exploitability
CWE
CWE Icon
KEV
KEV Icon
CWE ID Description
CWE-79 The product does not neutralize or incorrectly neutralizes user-controllable input before it is placed in output that is used as a web page that is served to other users.
Attack-Flow Graph
AI Powered Q&A
Can you explain this vulnerability to me?

The vulnerability in MajorDoMo is a stored cross-site scripting (XSS) issue found in the /objects/?op=set endpoint, which is intentionally left unauthenticated for IoT device integration.

User-supplied property values are stored directly in the database without any sanitization. When an administrator accesses the property editor in the admin panel, these stored values are rendered without escaping inside both a paragraph tag and a textarea element.

This causes the XSS to trigger automatically on page load without any action needed from the admin.

Additionally, the session cookie does not have the HttpOnly flag set, which allows attackers to steal the session cookie via JavaScript (document.cookie), enabling session hijacking.

Attackers can also enumerate properties through an unauthenticated API endpoint and inject malicious JavaScript into any property.


How can this vulnerability impact me? :

This vulnerability can lead to several security impacts:

  • An attacker can execute arbitrary JavaScript in the context of the administrator's browser, potentially leading to full account compromise.
  • Session hijacking is possible because the session cookie lacks the HttpOnly flag, allowing attackers to steal the admin's session cookie.
  • Attackers can manipulate or poison properties in the system, potentially disrupting IoT device integrations or causing unauthorized actions.
  • Overall, this can lead to unauthorized access, data theft, and manipulation of the system.

How does this vulnerability affect compliance with common standards and regulations (like GDPR, HIPAA)?:

I don't know


How can this vulnerability be detected on my network or system? Can you suggest some commands?

I don't know


What immediate steps should I take to mitigate this vulnerability?

I don't know


Ask Our AI Assistant
Need more information? Ask your question to get an AI reply (Powered by our expertise)
0/70
EPSS Chart