Vulnerability Description
MajorDoMo (aka Major Domestic Module) contains a stored cross-site scripting (XSS) vulnerability through method parameter injection into the shoutbox. The /objects/?method= endpoint allows unauthenticated execution of stored methods with attacker-controlled parameters. Default methods such as ThisComputer.VolumeLevelChanged pass the user-supplied VALUE parameter directly into the say() function, which stores the message raw in the shouts database table without escaping. The shoutbox widget renders stored messages without sanitization in both PHP rendering code and HTML templates. Because the dashboard widget auto-refreshes every 3 seconds, the injected script executes automatically when any administrator loads the dashboard, enabling session hijack through cookie exfiltration.
CVSS Score
HIGH
Affected Products
| Vendor | Product | Versions |
|---|---|---|
| Mjdm | Majordomo | - |
Related Weaknesses (CWE)
References
- https://chocapikk.com/posts/2026/majordomo-revisited/Third Party AdvisoryExploit
- https://github.com/sergejey/majordomo/pull/1177Issue TrackingExploit
- https://www.vulncheck.com/advisories/majordomo-stored-cross-site-scripting-via-mThird Party Advisory
FAQ
What is CVE-2026-27178?
CVE-2026-27178 is a vulnerability with a CVSS score of 7.2 (HIGH). MajorDoMo (aka Major Domestic Module) contains a stored cross-site scripting (XSS) vulnerability through method parameter injection into the shoutbox. The /objects/?method= endpoint allows unauthentic...
How severe is CVE-2026-27178?
CVE-2026-27178 has been rated HIGH with a CVSS base score of 7.2/10. Review the CVSS metrics above for detailed severity breakdown.
Is there a patch for CVE-2026-27178?
Check the references section above for vendor advisories and patch information. Affected products include: Mjdm Majordomo.