CVE-2026-27178

HIGH

MajorDoMo - Unauthenticated Stored Cross-Site Scripting via Shoutbox Method Parameters

Title source: llm

Description

MajorDoMo (aka Major Domestic Module) contains a stored cross-site scripting (XSS) vulnerability through method parameter injection into the shoutbox. The /objects/?method= endpoint allows unauthenticated execution of stored methods with attacker-controlled parameters. Default methods such as ThisComputer.VolumeLevelChanged pass the user-supplied VALUE parameter directly into the say() function, which stores the message raw in the shouts database table without escaping. The shoutbox widget renders stored messages without sanitization in both PHP rendering code and HTML templates. Because the dashboard widget auto-refreshes every 3 seconds, the injected script executes automatically when any administrator loads the dashboard, enabling session hijack through cookie exfiltration.

References (3)

Core 3

Core References

Various Sources third-party-advisory

https://chocapikk.com/posts/2026/majordomo-revisited/

Issue Tracking issue-tracking

https://github.com/sergejey/majordomo/pull/1177

Third Party Advisory third-party-advisory

https://www.vulncheck.com/advisories/majordomo-stored-cross-site-scripting-via-method-parameters-to-shoutbox

Scores

CVSS v3 7.2

EPSS 0.0023

EPSS Percentile 13.3%

Attack Vector NETWORK

CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:C/C:L/I:L/A:N

CISA SSVC

Vulnrichment

Exploitation none

Automatable yes

Technical Impact partial

Details

CWE

CWE-79

Status published

Products (2)

mjdm/majordomo

sergejey/MajorDoMo

Published Feb 18, 2026

Tracked Since Feb 19, 2026