CVE-2026-27178

  1. OpenCVE
  2. Vulnerabilities (CVE)
  3. CVE-2026-27178
MajorDoMo (aka Major Domestic Module) contains a stored cross-site scripting (XSS) vulnerability through method parameter injection into the shoutbox. The /objects/?method= endpoint allows unauthenticated execution of stored methods with attacker-controlled parameters. Default methods such as ThisComputer.VolumeLevelChanged pass the user-supplied VALUE parameter directly into the say() function, which stores the message raw in the shouts database table without escaping. The shoutbox widget renders stored messages without sanitization in both PHP rendering code and HTML templates. Because the dashboard widget auto-refreshes every 3 seconds, the injected script executes automatically when any administrator loads the dashboard, enabling session hijack through cookie exfiltration.

7.2 /10

CVSS v3 : HIGH

V3 Legend

Vector :

Exploitability : 3.9 / Impact : 2.7

Attack Vector NETWORK

Attack Complexity LOW

Privileges Required NONE

User Interaction NONE

Confidentiality Impact LOW

Integrity Impact LOW

Availability Impact NONE

Scope CHANGED

References
Link Resource
https://chocapikk.com/posts/2026/majordomo-revisited/ Third Party Advisory Exploit
https://github.com/sergejey/majordomo/pull/1177 Issue Tracking Exploit
https://www.vulncheck.com/advisories/majordomo-stored-cross-site-scripting-via-method-parameters-to-shoutbox Third Party Advisory
Configurations

Configuration 1 (hide)

cpe:2.3:a:mjdm:majordomo:-:*:*:*:*:*:*:*
History

20 Feb 2026, 19:58

Type Values Removed Values Added
Summary
  • (es) MajorDoMo (también conocido como Major Domestic Module) contiene una vulnerabilidad de cross-site scripting (XSS) almacenado a través de la inyección de parámetros de método en la shoutbox. El endpoint /objects/?method= permite la ejecución no autenticada de métodos almacenados con parámetros controlados por el atacante. Métodos predeterminados como ThisComputer.VolumeLevelChanged pasan el parámetro VALUE proporcionado por el usuario directamente a la función say(), la cual almacena el mensaje en bruto en la tabla de la base de datos shouts sin escapar. El widget de la shoutbox renderiza los mensajes almacenados sin sanitización tanto en el código de renderizado PHP como en las plantillas HTML. Debido a que el widget del panel de control se actualiza automáticamente cada 3 segundos, el script inyectado se ejecuta automáticamente cuando cualquier administrador carga el panel de control, lo que permite el secuestro de sesión a través de la exfiltración de cookies.
CPE cpe:2.3:a:mjdm:majordomo:-:*:*:*:*:*:*:*
First Time Mjdm
Mjdm majordomo
References () https://chocapikk.com/posts/2026/majordomo-revisited/ - () https://chocapikk.com/posts/2026/majordomo-revisited/ - Third Party Advisory, Exploit
References () https://github.com/sergejey/majordomo/pull/1177 - () https://github.com/sergejey/majordomo/pull/1177 - Issue Tracking, Exploit
References () https://www.vulncheck.com/advisories/majordomo-stored-cross-site-scripting-via-method-parameters-to-shoutbox - () https://www.vulncheck.com/advisories/majordomo-stored-cross-site-scripting-via-method-parameters-to-shoutbox - Third Party Advisory

18 Feb 2026, 22:16

Type Values Removed Values Added
New CVE
Information

Published : 2026-02-18 22:16

Updated : 2026-02-20 19:58

NVD link : CVE-2026-27178

Mitre link : CVE-2026-27178

CVE.ORG link : CVE-2026-27178

JSON object : View

Products Affected

mjdm

  • majordomo
CWE
CWE-79

Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting')