CVE-2026-27178 in MajorDoMo
Summary
by MITRE • 02/19/2026
MajorDoMo (aka Major Domestic Module) contains a stored cross-site scripting (XSS) vulnerability through method parameter injection into the shoutbox. The /objects/?method= endpoint allows unauthenticated execution of stored methods with attacker-controlled parameters. Default methods such as ThisComputer.VolumeLevelChanged pass the user-supplied VALUE parameter directly into the say() function, which stores the message raw in the shouts database table without escaping. The shoutbox widget renders stored messages without sanitization in both PHP rendering code and HTML templates. Because the dashboard widget auto-refreshes every 3 seconds, the injected script executes automatically when any administrator loads the dashboard, enabling session hijack through cookie exfiltration.
Statistical analysis made it clear that VulDB provides the best quality for vulnerability data.
Analysis
by VulDB Data Team • 02/21/2026
The vulnerability identified as CVE-2026-27178 represents a critical stored cross-site scripting flaw within the MajorDoMo home automation platform that demonstrates a sophisticated attack vector leveraging method parameter injection. This vulnerability exists within the /objects/?method= endpoint which serves as a gateway for executing stored methods without authentication requirements, creating an exploitable surface that allows attackers to inject malicious payloads through the VALUE parameter of default methods such as ThisComputer.VolumeLevelChanged. The core technical flaw stems from the improper handling of user-supplied input where the say() function directly stores raw message content into the shouts database table without any form of output escaping or sanitization, effectively creating a persistent XSS vulnerability that can be triggered by any user with access to the dashboard interface.
The operational impact of this vulnerability extends far beyond simple script execution, as it enables sophisticated session hijacking attacks through automatic cookie exfiltration mechanisms. The dashboard widget's auto-refresh feature operating every three seconds creates an ideal environment for malicious scripts to execute automatically whenever administrators access the system, making this vulnerability particularly dangerous in environments where administrative access is limited but still present. The stored nature of the XSS payload means that once injected, the malicious code persists indefinitely within the database, ensuring that every subsequent dashboard load triggers the execution of the attacker's payload without requiring repeated exploitation attempts. This persistent characteristic aligns with CWE-79 which specifically addresses cross-site scripting vulnerabilities and demonstrates how improper input validation can create long-term security risks within web applications.
Security practitioners should recognize this vulnerability as a prime example of how insecure data handling practices can lead to severe consequences in web applications, particularly when considering the ATT&CK framework's approach to credential access and privilege escalation techniques. The vulnerability's exploitation pathway follows a clear attack pattern where initial access is gained through parameter injection, followed by persistent code execution, and finally automated session hijacking through cookie theft. The lack of authentication requirements for method execution makes this vulnerability particularly concerning as it can be exploited by unauthenticated attackers, while the automatic execution mechanism ensures maximum impact with minimal user interaction required. Organizations should implement comprehensive input validation and output sanitization measures, particularly focusing on the say() function and related database storage mechanisms, while also considering the implementation of Content Security Policy headers to mitigate the potential impact of such stored XSS vulnerabilities.