MajorDoMo, a home automation platform, contains a stored cross-site scripting vulnerability identified as CVE-2026-27178. The vulnerability arises from improper neutralization of input during web page generation, specifically through the /objects/?method= endpoint which allows unauthenticated execution of stored methods with attacker-controlled parameters. Default methods such as ThisComputer.VolumeLevelChanged accept a VALUE parameter that is passed directly into the say() function without sanitization. This function stores the input raw in the shouts database table. The shoutbox widget then renders these stored messages without escaping or sanitization in both PHP rendering code and HTML templates. Because the dashboard widget auto-refreshes every 3 seconds, any injected malicious script executes automatically whenever an administrator loads or views the dashboard. This facilitates session hijacking by exfiltrating cookies or other sensitive session data. The vulnerability does not require authentication, making it accessible to remote attackers. The CVSS 4.0 vector indicates network attack vector, low attack complexity, no privileges required, user interaction required, low impact on confidentiality and integrity, no impact on availability, and low scope impact. No patches or known exploits are currently documented, but the vulnerability poses a significant risk to administrative users and the integrity of the MajorDoMo platform.

The primary impact of this vulnerability is the potential for attackers to execute arbitrary JavaScript in the context of an administrator's browser session. This can lead to session hijacking, allowing attackers to impersonate administrators and gain unauthorized control over the MajorDoMo system. Given that MajorDoMo is used for home automation, unauthorized access could result in manipulation of connected devices, privacy breaches, and disruption of home automation functions. The auto-refreshing dashboard increases the likelihood of automatic exploitation without explicit user action beyond loading the dashboard. Although the vulnerability does not directly impact system availability, the compromise of administrative sessions can lead to broader security breaches, data theft, and loss of control over the environment. Organizations using MajorDoMo should consider this a medium risk due to the ease of exploitation and potential for significant impact on confidentiality and integrity of the system.

To mitigate this vulnerability, organizations should immediately apply any available patches or updates from the MajorDoMo vendor once released. In the absence of patches, administrators should disable or restrict access to the shoutbox feature and the /objects/?method= endpoint to trusted users only, ideally behind strong authentication and network controls. Input validation and output encoding should be implemented to sanitize all user-supplied data before storage and rendering, particularly in the shoutbox functionality. Employ Content Security Policy (CSP) headers to restrict the execution of unauthorized scripts in the dashboard context. Monitoring and logging access to the vulnerable endpoints can help detect exploitation attempts. Additionally, administrators should be educated to avoid loading the dashboard from untrusted networks or devices until the vulnerability is remediated. Network segmentation and limiting administrative interface exposure to the internet can reduce the attack surface. Finally, consider implementing multi-factor authentication for administrative access to mitigate session hijacking impacts.