CVE-2026-27178 MEDIUM

CVE-2026-27178: MajorDoMo Stored Cross-Site Scripting via Method Parameters to Shoutbox

Vendor Sergejey
Product MajorDoMo
Weakness CWE-79 · XSS
Published February 18, 2026
Last update March 5, 2026
View on NVD All CVEs

CVSS base score

5.3/10
Attack vector Network
Attack complexity Low
Privileges required None
User interaction
Confidentiality
Integrity

CVSS vector

CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:P/VC:L/VI:L/VA:N/SC:L/SI:L/SA:N

What the vulnerability does

01Description

MajorDoMo (aka Major Domestic Module) contains a stored cross-site scripting (XSS) vulnerability through method parameter injection into the shoutbox. The /objects/?method= endpoint allows unauthenticated execution of stored methods with attacker-controlled parameters. Default methods such as ThisComputer.VolumeLevelChanged pass the user-supplied VALUE parameter directly into the say() function, which stores the message raw in the shouts database table without escaping. The shoutbox widget renders stored messages without sanitization in both PHP rendering code and HTML templates. Because the dashboard widget auto-refreshes every 3 seconds, the injected script executes automatically when any administrator loads the dashboard, enabling session hijack through cookie exfiltration.

Key dates

02Disclosure timeline

February 18, 2026 CVE published
March 5, 2026 Record updated

Related vulnerabilities

04Related CVE

CVE-2025-58633 WordPress Booking Ultra Pro Plugin <= 1.1.21 - Cross Site Scripting (XSS) Vulnerability CVE-2023-2864 SourceCodester Online Jewelry Store POST Parameter customer.php cross site scripting CVE-2025-11820 Graphina – Elementor Charts and Graphs <= 3.1.8 - Authenticated (Contributor+) Stored Cross-Site Scripting via Chart Widgets CVE-2025-2799 WP Event Manager <= 3.1.49 - Authenticated (Administrator+) Stored Cross-Site Scripting CVE-2024-35647 WordPress Global Notification Bar plugin <= 1.0.1 - Cross Site Scripting (XSS) vulnerability