Reflected Cross-Site Scripting Vulnerability in MajorDoMo by MajorDoMo Inc.
CVE-2026-27176

5.1MEDIUM

Key Information:

Vendor: Sergejey
Status: Majordomo
Vendor: CVE Published:; 18 February 2026

What is CVE-2026-27176?

MajorDoMo, a web-based home automation software, contains a reflected cross-site scripting (XSS) vulnerability in the command.php file. This vulnerability arises from the improper handling of the $qry parameter, which is directly rendered into the HTML output without adequate sanitization. An attacker can exploit this flaw by crafting a malicious URL that injects arbitrary JavaScript into the application. This could lead to various attacks, including the theft of sensitive user information or the execution of unauthorized actions on behalf of the user.

Affected Version(s)

MajorDoMo 0

References

https://chocapikk.com/posts/2026/majordomo-revisited/

third-party-advisory

https://github.com/sergejey/majordomo/pull/1177

patch

https://www.vulncheck.com/advisories/majordomo-reflected-...

third-party-advisory

CVSS V4

Score:

5.1

Severity:

MEDIUM

Confidentiality:

None

Integrity:

None

Availability:

None

Attack Vector:

Network

Attack Complexity:

Low

Attack Required:

None

Privileges Required:

Undefined

User Interaction:

Unknown

Download the Critical Vulnerability Management Cheat Sheet

Timeline

Vulnerability published
Feb 18, 2026
Vulnerability Reserved
Feb 18, 2026

Credit

Valentin Lobstein

CVE-2026-27176 Data

JSON

Sergejey

What is CVE-2026-27176?

Affected Version(s)

References

CVSS V4

Timeline

Credit