Goal Reached Thanks to every supporter — we hit 100%!

Goal: 1000 CNY · Raised: 1000 CNY

100.0%
Buy Us a Coffee

CVE-2026-27177— MajorDoMo Stored Cross-Site Scripting via Property Set Endpoint

CVSS 7.2 · High EPSS 0.05% · P14
Get alerts for future matching vulnerabilitiesLog in to subscribe

I. Basic Information for CVE-2026-27177

Vulnerability Information
Have questions about the vulnerability? See if Shenlong's analysis helps!
View Shenlong Deep Dive ↗

Although we use advanced large model technology, its output may still contain inaccurate or outdated information.Shenlong tries to ensure data accuracy, but please verify and judge based on the actual situation.

Vulnerability Title
MajorDoMo Stored Cross-Site Scripting via Property Set Endpoint
Source: NVD (National Vulnerability Database)
Vulnerability Description
MajorDoMo (aka Major Domestic Module) contains a stored cross-site scripting (XSS) vulnerability via the /objects/?op=set endpoint, which is intentionally unauthenticated for IoT device integration. User-supplied property values are stored raw in the database without sanitization. When an administrator views the property editor in the admin panel, the stored values are rendered without escaping in both a paragraph tag (SOURCE field) and a textarea element (VALUE field). The XSS fires on page load without requiring any click from the admin. Additionally, the session cookie lacks the HttpOnly flag, enabling session hijack via document.cookie exfiltration. An attacker can enumerate properties via the unauthenticated /api.php/data/ endpoint and poison any property with malicious JavaScript.
Source: NVD (National Vulnerability Database)
CVSS Information
CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:C/C:L/I:L/A:N
Source: NVD (National Vulnerability Database)
Vulnerability Type
在Web页面生成时对输入的转义处理不恰当(跨站脚本)
Source: NVD (National Vulnerability Database)
Vulnerability Title
MajorDoMo 跨站脚本漏洞
Source: CNNVD (China National Vulnerability Database)
Vulnerability Description
MajorDoMo是MajorDoMo社区的一个开源DIY智能家居自动化平台。 MajorDoMo存在跨站脚本漏洞,该漏洞源于通过/objects/?op=set端点存储的用户提供的属性值未经清理原始存储在数据库中,当管理员在管理面板中查看属性编辑器时,存储的值在段落标签和textarea元素中未经转义渲染,可能导致存储型跨站脚本攻击和会话劫持。
Source: CNNVD (China National Vulnerability Database)
CVSS Information
N/A
Source: CNNVD (China National Vulnerability Database)
Vulnerability Type
N/A
Source: CNNVD (China National Vulnerability Database)

Affected Products

VendorProductAffected VersionsCPESubscribe
sergejeyMajorDoMo 0 ~ * -

II. Public POCs for CVE-2026-27177

#POC DescriptionSource LinkShenlong Link
AI-Generated POCPremium

No public POC found.

Login to generate AI POC

III. Intelligence Information for CVE-2026-27177

登录查看更多情报信息。

Same Patch Batch · sergejey · 2026-02-18 · 8 CVEs total

CVE-2026-271809.8 CRITICALMajorDoMo Supply Chain Remote Code Execution via Update URL Poisoning
CVE-2026-271759.8 CRITICALMajorDoMo Command Injection in rc/index.php via Race Condition
CVE-2026-271749.8 CRITICALMajorDoMo Unauthenticated Remote Code Execution via Admin Console Eval
CVE-2026-271798.2 HIGHMajorDoMo Unauthenticated SQL Injection in Commands Module
CVE-2026-271817.5 HIGHMajorDoMo Unauthenticated Module Uninstall via Market Endpoint
CVE-2026-271787.2 HIGHMajorDoMo Stored Cross-Site Scripting via Method Parameters to Shoutbox
CVE-2026-271766.1 MEDIUMMajorDoMo Reflected Cross-Site Scripting in command.php

IV. Related Vulnerabilities

Same product: MajorDoMo
Same vendor: sergejey
Same weakness: CWE-79

V. Comments for CVE-2026-27177

No comments yet

Leave a comment