CVE-2026-27178

Exploit

EPSS 0.23%
Veröffentlicht 18.02.2026 21:10:39
Zuletzt bearbeitet 20.02.2026 19:58:33
Quelle disclosure@vulncheck.com
CVE-Watchlists
Login
Unerledigt
Login

MajorDoMo Stored Cross-Site Scripting via Method Parameters to Shoutbox

MajorDoMo (aka Major Domestic Module) contains a stored cross-site scripting (XSS) vulnerability through method parameter injection into the shoutbox. The /objects/?method= endpoint allows unauthenticated execution of stored methods with attacker-controlled parameters. Default methods such as ThisComputer.VolumeLevelChanged pass the user-supplied VALUE parameter directly into the say() function, which stores the message raw in the shouts database table without escaping. The shoutbox widget renders stored messages without sanitization in both PHP rendering code and HTML templates. Because the dashboard widget auto-refreshes every 3 seconds, the injected script executes automatically when any administrator loads the dashboard, enabling session hijack through cookie exfiltration.

Betroffene Produkte Warnungen 0 Metriken 4 CWE 1 Referenzen 6

NVD 1 VulnDex Vulnerability Enrichment 0

Daten sind bereitgestellt durch National Vulnerability Database (NVD)

Mjdm ≫ Majordomo Version-

Zu dieser CVE wurde keine Warnung gefunden.

EPSS Metriken
Typ	Quelle	Score	Percentile
EPSS	FIRST.org	0.23%	0.131

CVSS Metriken
Quelle	Base Score	Exploit Score	Impact Score	Vector String
nvd@nist.gov	6.1	2.8	2.7	CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:C/C:L/I:L/A:N
disclosure@vulncheck.com	5.3	0	0	CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:P/VC:L/VI:L/VA:N/SC:L/SI:L/SA:N/E:X/CR:X/IR:X/AR:X/MAV:X/MAC:X/MAT:X/MPR:X/MUI:X/MVC:X/MVI:X/MVA:X/MSC:X/MSI:X/MSA:X/S:X/AU:X/R:X/V:X/RE:X/U:X
disclosure@vulncheck.com	7.2	3.9	2.7	CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:C/C:L/I:L/A:N

CWE-79 Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting')

The product does not neutralize or incorrectly neutralizes user-controllable input before it is placed in output that is used as a web page that is served to other users.

https://chocapikk.com/posts/2026/majordomo-revisited/

Third Party Advisory

Exploit

https://github.com/sergejey/majordomo/pull/1177

Exploit

Issue Tracking

https://www.vulncheck.com/advisories/majordomo-stored-cross-site-scripting-via-method-parameters-to-shoutbox

Third Party Advisory

https://nvd.nist.gov/vuln/detail/CVE-2026-27178

CVE Source (NVD)

https://cveawg.mitre.org/api/cve/CVE-2026-27178

CVE Source (JSON)

https://euvd.enisa.europa.eu/vulnerability/CVE-2026-27178

EUVD

Team-orientierte Vulnerability Management Plattform

Features der Plattform

CVE-2026-27178