MajorDoMo, a home automation platform designed for IoT device integration, suffers from a stored cross-site scripting (XSS) vulnerability identified as CVE-2026-27177. The vulnerability arises from the /objects/?op=set endpoint, which is intentionally left unauthenticated to facilitate IoT device integration. This endpoint accepts user-supplied property values that are stored directly in the backend database without any input sanitization or encoding. When an administrator accesses the property editor within the admin panel, these stored values are rendered directly into the HTML page inside a paragraph tag (SOURCE field) and a textarea element (VALUE field) without escaping. This unsafe rendering leads to the execution of malicious JavaScript code embedded in the property values immediately upon page load, without requiring any click or additional user interaction. Compounding the risk, the session cookie used by the admin panel lacks the HttpOnly attribute, allowing the attacker’s script to access document.cookie and exfiltrate session tokens, facilitating session hijacking. Furthermore, the attacker can enumerate existing properties through the unauthenticated /api.php/data/ endpoint and inject malicious payloads into any property, effectively poisoning the admin interface. The vulnerability has a CVSS 4.0 score of 5.3, indicating medium severity, with an attack vector over the network, no privileges or authentication required, and no user interaction needed. Although no known exploits have been reported in the wild, the vulnerability’s characteristics make it a credible threat, especially in environments where the admin panel is accessible or insufficiently protected. The lack of input validation and improper output encoding are classic web application security failures that enable this attack vector. The vulnerability affects version 0 of MajorDoMo, and no official patches or mitigations have been linked yet.

For European organizations using MajorDoMo for IoT home or building automation, this vulnerability could lead to unauthorized administrative access through session hijacking, resulting in potential manipulation or disruption of IoT devices and automation workflows. Confidentiality is at risk due to session token theft, and integrity is compromised as attackers can inject malicious scripts that alter system behavior or steal sensitive data. Availability could be indirectly affected if attackers disable or misconfigure devices. Since the attack requires no authentication and can be triggered remotely, organizations with exposed or poorly segmented admin interfaces are particularly vulnerable. This risk extends to smart buildings, residential complexes, and enterprises relying on MajorDoMo for automation, potentially impacting privacy and operational continuity. The medium severity score reflects a moderate but tangible threat, especially given the unauthenticated access to the vulnerable endpoint. The lack of HttpOnly on cookies exacerbates the risk by enabling session hijacking. European organizations with lax network segmentation or insufficient access controls for IoT management interfaces face increased exposure. The threat also raises compliance concerns under GDPR due to potential unauthorized access and data leakage.

European organizations should immediately restrict network access to the MajorDoMo admin panel and related endpoints, ensuring they are not exposed to the public internet. Implement strict firewall rules or VPN access to limit administrative interface exposure. Apply input validation and output encoding controls at the application level to sanitize all user-supplied data before storage and rendering, particularly for the /objects/?op=set endpoint. If possible, disable or secure the unauthenticated API endpoints to prevent property enumeration and poisoning. Enforce the HttpOnly flag on session cookies to prevent client-side script access. Monitor logs for unusual activity related to property modifications or API calls. Conduct regular security assessments and penetration tests focusing on IoT management platforms. Until an official patch is available, consider deploying web application firewalls (WAFs) with custom rules to detect and block XSS payloads targeting MajorDoMo endpoints. Educate administrators on the risks of accessing the admin panel from untrusted networks or devices. Finally, maintain an incident response plan tailored to IoT platform compromises.