CVE-2026-27178
HIGHCVSS Vector
CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:C/C:L/I:L/A:N
Lifecycle Timeline
3Description
MajorDoMo (aka Major Domestic Module) contains a stored cross-site scripting (XSS) vulnerability through method parameter injection into the shoutbox. The /objects/?method= endpoint allows unauthenticated execution of stored methods with attacker-controlled parameters. Default methods such as ThisComputer.VolumeLevelChanged pass the user-supplied VALUE parameter directly into the say() function, which stores the message raw in the shouts database table without escaping. The shoutbox widget renders stored messages without sanitization in both PHP rendering code and HTML templates. Because the dashboard widget auto-refreshes every 3 seconds, the injected script executes automatically when any administrator loads the dashboard, enabling session hijack through cookie exfiltration.
Analysis
MajorDomo's shoutbox feature is vulnerable to stored XSS due to unsanitized user input in the /objects/?method= endpoint, allowing unauthenticated attackers to inject malicious scripts that persist in the database. When administrators access the auto-refreshing dashboard, the stored payload executes automatically, enabling session hijacking and cookie theft. …
Sign in for full analysis, threat intelligence, and remediation guidance.
Remediation
Within 24 hours: Identify all MajorDoMo instances in your environment and assess internet accessibility; isolate internet-facing instances or restrict access via network controls. Within 7 days: Implement WAF rules blocking requests to /objects/?method= containing suspicious parameters; disable the shoutbox feature if not business-critical. …
Sign in for detailed remediation steps.
Priority Score
Share
External POC / Exploit Code
Leaving vuln.today