Stored Cross-Site Scripting Vulnerability in MajorDoMo by MajorDoMo Inc.
CVE-2026-27177

5.3MEDIUM

Key Information:

Vendor: Sergejey
Status: Majordomo
Vendor: CVE Published:; 18 February 2026

What is CVE-2026-27177?

MajorDoMo contains a stored cross-site scripting vulnerability that allows attackers to exploit the system via unauthenticated endpoints. Specifically, user-supplied property values can be stored directly in the database without proper sanitization. When an administrator accesses the property editor, these stored values are rendered unsafely, leading to potential execution of malicious scripts upon page load. Additionally, the implementation lacks the HttpOnly flag on session cookies, making it vulnerable to session hijacking via document.cookie exfiltration. This vulnerability allows for significant security risks, particularly in IoT device integrations, as attackers could enumerate and poison property values with harmful JavaScript.

Affected Version(s)

MajorDoMo 0

References

https://chocapikk.com/posts/2026/majordomo-revisited/

third-party-advisory

https://github.com/sergejey/majordomo/pull/1177

patch

https://www.vulncheck.com/advisories/majordomo-stored-cro...

third-party-advisory

CVSS V4

Score:

5.3

Severity:

MEDIUM

Confidentiality:

Low

Integrity:

Low

Availability:

None

Attack Vector:

Network

Attack Complexity:

Low

Attack Required:

None

Privileges Required:

Undefined

User Interaction:

Unknown

Download the Critical Vulnerability Management Cheat Sheet

Timeline

Vulnerability published
Feb 18, 2026
Vulnerability Reserved
Feb 18, 2026

Credit

Valentin Lobstein

CVE-2026-27177 Data

JSON