CVE-2026-27177
Received Received - Intake

Stored XSS and Session Hijack in MajorDoMo IoT Endpoint

Vulnerability report for CVE-2026-27177, including description, CVSS score, EPSS score, affected products, exploitability, helpful resources, and attack-flow context.

Publication date: 2026-02-18

Last updated on: 2026-02-20

Assigner: VulnCheck

Description

MajorDoMo (aka Major Domestic Module) contains a stored cross-site scripting (XSS) vulnerability via the /objects/?op=set endpoint, which is intentionally unauthenticated for IoT device integration. User-supplied property values are stored raw in the database without sanitization. When an administrator views the property editor in the admin panel, the stored values are rendered without escaping in both a paragraph tag (SOURCE field) and a textarea element (VALUE field). The XSS fires on page load without requiring any click from the admin. Additionally, the session cookie lacks the HttpOnly flag, enabling session hijack via document.cookie exfiltration. An attacker can enumerate properties via the unauthenticated /api.php/data/ endpoint and poison any property with malicious JavaScript.

CVSS Scores

EPSS Scores

Probability:
Percentile:

Meta Information

Published
2026-02-18
Last Modified
2026-02-20
Generated
2026-07-06
AI Q&A
2026-02-19
EPSS Evaluated
2026-07-05
NVD
EUVD

Affected Vendors & Products

Showing 1 associated CPE
Vendor Product Version / Range
mjdm majordomo *

Helpful Resources

Exploitability

CWE
CWE Icon
KEV
KEV Icon
CWE ID Description
CWE-79 The product does not neutralize or incorrectly neutralizes user-controllable input before it is placed in output that is used as a web page that is served to other users.

Attack-Flow Graph

AI Quick Actions

Instant insights powered by AI
Executive Summary

The vulnerability in MajorDoMo is a stored cross-site scripting (XSS) issue found in the /objects/?op=set endpoint, which is intentionally left unauthenticated for IoT device integration.

User-supplied property values are stored directly in the database without any sanitization. When an administrator accesses the property editor in the admin panel, these stored values are rendered without escaping inside both a paragraph tag and a textarea element.

This causes the XSS to trigger automatically on page load without any action needed from the admin.

Additionally, the session cookie does not have the HttpOnly flag set, which allows attackers to steal the session cookie via JavaScript (document.cookie), enabling session hijacking.

Attackers can also enumerate properties through an unauthenticated API endpoint and inject malicious JavaScript into any property.

Impact Analysis

This vulnerability can lead to several security impacts:

  • An attacker can execute arbitrary JavaScript in the context of the administrator's browser, potentially leading to full account compromise.
  • Session hijacking is possible because the session cookie lacks the HttpOnly flag, allowing attackers to steal the admin's session cookie.
  • Attackers can manipulate or poison properties in the system, potentially disrupting IoT device integrations or causing unauthorized actions.
  • Overall, this can lead to unauthorized access, data theft, and manipulation of the system.
Compliance Impact

I don't know

Detection Guidance

I don't know

Mitigation Strategies

I don't know

Chat Assistant

Ask questions about this CVE
Hi! I’m here to help you understand CVE-2026-27177. Ask me anything about the vulnerability, its impact, or mitigation strategies.
0/70

EPSS Chart