CVE-2026-27178

Name of the Vulnerable Software and Affected Versions MajorDoMo versions (affected versions not specified)

Description The software contains a stored cross-site scripting (XSS) issue through method parameter injection into the shoutbox. The /objects/?method= API endpoint allows unauthenticated execution of stored methods with attacker-controlled parameters. Default methods, such as ThisComputer.VolumeLevelChanged(), pass the user-supplied VALUE parameter directly into the say() function, which stores the message raw in the shouts database table without escaping. The shoutbox widget renders stored messages without sanitization in both PHP rendering code and HTML templates. The dashboard widget auto-refreshes every 3 seconds, causing the injected script to execute automatically when an administrator loads the dashboard, potentially enabling session hijack through cookie exfiltration.

Recommendations At the moment, there is no information about a newer version that contains a fix for this vulnerability.