CVE-2026-27177 is a stored cross-site scripting (XSS) vulnerability affecting MajorDoMo, a platform used for IoT device integration. The vulnerability arises because the /objects/?op=set endpoint accepts user-supplied property values without any sanitization or escaping before storing them in the database. This endpoint is intentionally left unauthenticated to facilitate integration with IoT devices, which increases the attack surface. When an administrator views the property editor in the admin panel, the stored malicious JavaScript payload is rendered unescaped inside both a paragraph tag (SOURCE field) and a textarea element (VALUE field), causing the XSS to trigger immediately upon page load without requiring any click or interaction. Additionally, the session cookie used by the admin panel lacks the HttpOnly flag, which means that the injected JavaScript can access and exfiltrate the session cookie via document.cookie, enabling session hijacking. Attackers can also enumerate existing properties through the unauthenticated /api.php/data/ endpoint and inject malicious scripts into any property, effectively poisoning the admin interface. The vulnerability has a CVSS 4.0 base score of 5.3, reflecting medium severity due to network attack vector, no privileges required, no authentication, and no user interaction needed. However, the impact on confidentiality and integrity is limited to the admin user context, and availability is not affected. No known exploits in the wild have been reported as of the publication date. The lack of input sanitization and missing cookie security flags are the root causes, making this a critical concern for organizations relying on MajorDoMo for IoT management.

The primary impact of this vulnerability is the compromise of administrative accounts managing MajorDoMo installations. Successful exploitation allows attackers to execute arbitrary JavaScript in the context of the admin panel, leading to session hijacking, unauthorized access, and potential full control over the IoT management interface. This can result in unauthorized configuration changes, disruption of IoT device operations, and exposure of sensitive information. Since the vulnerable endpoint is unauthenticated and exposed to the network, attackers can remotely exploit this flaw without any credentials or user interaction. The ability to enumerate and poison properties increases the attack surface and persistence potential. Organizations relying on MajorDoMo for smart home or industrial IoT device management could face operational disruptions, data breaches, and potential lateral movement within their networks. The lack of HttpOnly on session cookies exacerbates the risk by facilitating session theft. Although no exploits are currently known in the wild, the ease of exploitation and administrative impact make this a significant threat that could be leveraged in targeted attacks or automated scanning campaigns.

To mitigate CVE-2026-27177, organizations should first apply any available patches or updates from the MajorDoMo vendor once released. In the absence of patches, implement strict input validation and output encoding on all user-supplied data, especially on the /objects/?op=set endpoint, to neutralize any malicious scripts before storage and rendering. Restrict access to the unauthenticated endpoints by implementing network-level controls such as IP whitelisting or VPN access to limit exposure. Enable the HttpOnly and Secure flags on session cookies to prevent JavaScript access and reduce session hijacking risks. Regularly audit and monitor property values stored in the database for suspicious or unexpected content. Consider deploying Web Application Firewalls (WAFs) with custom rules to detect and block XSS payloads targeting these endpoints. Educate administrators on the risks of XSS and encourage the use of multi-factor authentication to reduce the impact of compromised sessions. Finally, isolate the MajorDoMo management interface from general network access to minimize attack surface.