Stored Cross-Site Scripting in MajorDoMo Shoutbox Component
CVE-2026-27178

5.3MEDIUM

Key Information:

Vendor: Sergejey
Status: Majordomo
Vendor: CVE Published:; 18 February 2026

What is CVE-2026-27178?

MajorDoMo, a popular home automation system, has a vulnerability within its shoutbox feature due to stored cross-site scripting (XSS) through method parameter injection. An attacker can exploit this vulnerability via the /objects/?method= endpoint, allowing unauthenticated execution of methods with attacker-controlled parameters. This flaw enables the injection of malicious scripts that are stored directly in the database without proper escaping when user-supplied messages are stored. Consequently, the shoutbox widget renders this unsanitized content, which can lead to automatic script execution when an administrator accesses the dashboard, thereby facilitating session hijacking through cookie exfiltration.

Affected Version(s)

MajorDoMo 0

References

https://chocapikk.com/posts/2026/majordomo-revisited/

third-party-advisory

https://github.com/sergejey/majordomo/pull/1177

patch

https://www.vulncheck.com/advisories/majordomo-stored-cro...

third-party-advisory

CVSS V4

Score:

5.3

Severity:

MEDIUM

Confidentiality:

Low

Integrity:

Low

Availability:

None

Attack Vector:

Network

Attack Complexity:

Low

Attack Required:

None

Privileges Required:

Undefined

User Interaction:

Unknown

Download the Critical Vulnerability Management Cheat Sheet

Timeline

Vulnerability published
Feb 18, 2026
Vulnerability Reserved
Feb 18, 2026

Credit

Valentin Lobstein

CVE-2026-27178 Data

JSON