CVE-2026-27177

Name of the Vulnerable Software and Affected Versions MajorDoMo versions (affected versions not specified)

Description MajorDoMo contains a stored cross-site scripting (XSS) issue through the /objects/?op=set API endpoint. This endpoint is intentionally unauthenticated for integration with IoT devices. User-provided property values are saved into the database without proper sanitization. When an administrator views the property editor within the admin panel, these stored values are displayed without escaping, both within a paragraph tag (SOURCE field) and a textarea element (VALUE field). The XSS is triggered upon page load, requiring no user interaction from the administrator. Furthermore, the session cookie does not have the HttpOnly flag set, which allows for session hijacking through document.cookie exfiltration. An attacker can identify properties using the unauthenticated /api.php/data/ API endpoint and inject malicious JavaScript into any property.

Recommendations At the moment, there is no information about a newer version that contains a fix for this vulnerability.