Logo
-

Byte Open Security

(ByteOS Network)

Log In

Sign Up

ByteOS

Security
Vulnerability Details
Registries
Custom Views
Weaknesses
Attack Patterns
Filters & Tools
CVE Vulnerability Details :
CVE-2026-27177
PUBLISHED
More InfoOfficial Page
Assigner-VulnCheck
Assigner Org ID-83251b91-4cc7-4094-a5c7-464a1b83ea10
View Known Exploited Vulnerability (KEV) details
Published At-18 Feb, 2026 | 21:10
Updated At-18 Feb, 2026 | 21:10
Rejected At-
▼CVE Numbering Authority (CNA)
MajorDoMo Stored Cross-Site Scripting via Property Set Endpoint

MajorDoMo (aka Major Domestic Module) contains a stored cross-site scripting (XSS) vulnerability via the /objects/?op=set endpoint, which is intentionally unauthenticated for IoT device integration. User-supplied property values are stored raw in the database without sanitization. When an administrator views the property editor in the admin panel, the stored values are rendered without escaping in both a paragraph tag (SOURCE field) and a textarea element (VALUE field). The XSS fires on page load without requiring any click from the admin. Additionally, the session cookie lacks the HttpOnly flag, enabling session hijack via document.cookie exfiltration. An attacker can enumerate properties via the unauthenticated /api.php/data/ endpoint and poison any property with malicious JavaScript.

Affected Products
Vendor
sergejey
Product
MajorDoMo
Default Status
unknown
Versions
Affected
  • From 0 through * (custom)
Problem Types
TypeCWE IDDescription
CWECWE-79Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting')
Type: CWE
CWE ID: CWE-79
Description: Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting')
Metrics
VersionBase scoreBase severityVector
4.05.3MEDIUM
CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:P/VC:L/VI:L/VA:N/SC:L/SI:L/SA:N
3.17.2HIGH
CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:C/C:L/I:L/A:N
Version: 4.0
Base score: 5.3
Base severity: MEDIUM
Vector:
CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:P/VC:L/VI:L/VA:N/SC:L/SI:L/SA:N
Version: 3.1
Base score: 7.2
Base severity: HIGH
Vector:
CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:C/C:L/I:L/A:N
Metrics Other Info
Impacts
CAPEC IDDescription
Solutions
Configurations
Workarounds
Exploits
Credits
finder
Valentin Lobstein
Timeline
EventDate
Replaced By
Rejected Reason
References
HyperlinkResource
https://chocapikk.com/posts/2026/majordomo-revisited/
third-party-advisory
https://github.com/sergejey/majordomo/pull/1177
patch
https://www.vulncheck.com/advisories/majordomo-stored-cross-site-scripting-via-property-set-endpoint
third-party-advisory
Hyperlink: https://chocapikk.com/posts/2026/majordomo-revisited/
Resource:
third-party-advisory
Hyperlink: https://github.com/sergejey/majordomo/pull/1177
Resource:
patch
Hyperlink: https://www.vulncheck.com/advisories/majordomo-stored-cross-site-scripting-via-property-set-endpoint
Resource:
third-party-advisory
Details not found