CVE-2026-27178 is a stored cross-site scripting vulnerability affecting MajorDoMo, a home automation and smart device management platform developed by sergejey. The vulnerability exists in the /objects/?method= endpoint, which allows unauthenticated users to invoke stored methods with attacker-controlled parameters. Specifically, default methods such as ThisComputer.VolumeLevelChanged accept a VALUE parameter that is passed directly into the say() function. This function stores the message in the shouts database table without any escaping or sanitization. The shoutbox widget on the dashboard renders these stored messages both in PHP rendering code and HTML templates without sanitization, leading to persistent XSS. Because the dashboard widget auto-refreshes every 3 seconds, any injected malicious script executes automatically when an administrator loads or refreshes the dashboard, without requiring any user interaction. This enables attackers to hijack administrator sessions by exfiltrating cookies or other sensitive data. The vulnerability is exploitable remotely without authentication, increasing its risk. The CVSS 4.0 vector (AV:N/AC:L/AT:N/PR:N/UI:P/VC:L/VI:L/VA:N/SC:L/SI:L/SA:N) reflects network attack vector, low attack complexity, no privileges required, user interaction required, low impact on confidentiality and integrity, no impact on availability, and low scope and security requirements. No patches or known exploits are currently reported, but the vulnerability poses a significant risk to administrative control and data confidentiality within affected deployments.

For European organizations using MajorDoMo, this vulnerability could lead to unauthorized administrative access through session hijacking, compromising the confidentiality and integrity of automation controls and potentially sensitive data. Since the exploit requires no authentication and is triggered automatically via the dashboard's auto-refresh, attackers can silently compromise administrator sessions. This may allow attackers to manipulate home or building automation systems, disrupt operations, or gain further footholds in internal networks. The impact is particularly critical for organizations relying on MajorDoMo for managing critical infrastructure or sensitive environments. Additionally, compromised administrator accounts could be leveraged for lateral movement or data exfiltration. Although availability impact is low, the breach of administrative credentials and control could have cascading effects on operational security and privacy compliance, especially under GDPR regulations in Europe.

1. Immediately restrict access to the /objects/?method= endpoint through network-level controls such as firewalls or web application firewalls (WAF) to prevent unauthenticated access. 2. Implement input validation and output encoding on all user-supplied data, especially in the shoutbox feature, to neutralize malicious scripts before storage and rendering. 3. Disable or remove the shoutbox widget from the dashboard if it is not essential to reduce attack surface. 4. Introduce Content Security Policy (CSP) headers to limit the impact of any injected scripts by restricting script sources and preventing inline script execution. 5. Monitor dashboard access logs and network traffic for unusual activity indicative of exploitation attempts. 6. Apply principle of least privilege to administrator accounts and consider multi-factor authentication to reduce risk from session hijacking. 7. Engage with the vendor or community to obtain patches or updates addressing this vulnerability as soon as they become available. 8. Educate administrators about the risk of persistent XSS and encourage regular session invalidation and use of secure cookies with HttpOnly and Secure flags.