CVE-2026-27177
Received Received - Intake
Stored XSS and Session Hijack in MajorDoMo IoT Endpoint

Publication date: 2026-02-18

Last updated on: 2026-02-20

Assigner: VulnCheck

Description
MajorDoMo (aka Major Domestic Module) contains a stored cross-site scripting (XSS) vulnerability via the /objects/?op=set endpoint, which is intentionally unauthenticated for IoT device integration. User-supplied property values are stored raw in the database without sanitization. When an administrator views the property editor in the admin panel, the stored values are rendered without escaping in both a paragraph tag (SOURCE field) and a textarea element (VALUE field). The XSS fires on page load without requiring any click from the admin. Additionally, the session cookie lacks the HttpOnly flag, enabling session hijack via document.cookie exfiltration. An attacker can enumerate properties via the unauthenticated /api.php/data/ endpoint and poison any property with malicious JavaScript.
CVSS Scores
EPSS Scores
Probability:
Percentile:
Meta Information
Published
2026-02-18
Last Modified
2026-02-20
Generated
2026-06-16
AI Q&A
2026-02-19
EPSS Evaluated
2026-06-15
NVD
CVE-2026-27177
EUVD
EUVD-2026-8389
Affected Vendors & Products
Showing 1 associated CPE
Vendor Product Version / Range
mjdm majordomo *
Helpful Resources
Exploitability
CWE
CWE Icon
KEV
KEV Icon
CWE ID Description
CWE-79 The product does not neutralize or incorrectly neutralizes user-controllable input before it is placed in output that is used as a web page that is served to other users.
Attack-Flow Graph
AI Quick Actions
Instant insights powered by AI
Executive Summary

The vulnerability in MajorDoMo is a stored cross-site scripting (XSS) issue found in the /objects/?op=set endpoint, which is intentionally left unauthenticated for IoT device integration.

User-supplied property values are stored directly in the database without any sanitization. When an administrator accesses the property editor in the admin panel, these stored values are rendered without escaping inside both a paragraph tag and a textarea element.

This causes the XSS to trigger automatically on page load without any action needed from the admin.

Additionally, the session cookie does not have the HttpOnly flag set, which allows attackers to steal the session cookie via JavaScript (document.cookie), enabling session hijacking.

Attackers can also enumerate properties through an unauthenticated API endpoint and inject malicious JavaScript into any property.

Impact Analysis

This vulnerability can lead to several security impacts:

  • An attacker can execute arbitrary JavaScript in the context of the administrator's browser, potentially leading to full account compromise.
  • Session hijacking is possible because the session cookie lacks the HttpOnly flag, allowing attackers to steal the admin's session cookie.
  • Attackers can manipulate or poison properties in the system, potentially disrupting IoT device integrations or causing unauthorized actions.
  • Overall, this can lead to unauthorized access, data theft, and manipulation of the system.
Compliance Impact

I don't know

Detection Guidance

I don't know

Mitigation Strategies

I don't know

Chat Assistant
Ask questions about this CVE
Hi! I’m here to help you understand CVE-2026-27177. Ask me anything about the vulnerability, its impact, or mitigation strategies.
0/70
EPSS Chart