CVE-2026-27176

MajorDoMo (aka Major Domestic Module) contains a reflected cross-site scripting (XSS) vulnerability in command.php. The $qry parameter is rendered directly into the HTML page without sanitization via htmlspecialchars(), both in an input field value attribute and in a paragraph element. An attacker can inject arbitrary JavaScript by crafting a URL with malicious content in the qry parameter.

CVSS v3 6.1 MEDIUM

6.1^/10

CVSS v3 : MEDIUM

Vector :

Exploitability : 2.8 / Impact : 2.7

Attack Vector NETWORK

Attack Complexity LOW

Privileges Required NONE

User Interaction REQUIRED

Confidentiality Impact LOW

Integrity Impact LOW

Availability Impact NONE

Scope CHANGED

References

Link	Resource
https://chocapikk.com/posts/2026/majordomo-revisited/	Third Party Advisory Exploit
https://github.com/sergejey/majordomo/pull/1177	Issue Tracking Exploit
https://www.vulncheck.com/advisories/majordomo-reflected-cross-site-scripting-in-commandphp	Third Party Advisory

Configurations

Configuration 1 (hide)

cpe:2.3:a:mjdm:majordomo:-:*:*:*:*:*:*:*

History

No history.

Information

Published : 2026-02-18 22:16

Updated : 2026-02-20 20:01

NVD link : CVE-2026-27176

Mitre link : CVE-2026-27176

CVE.ORG link : CVE-2026-27176

JSON object : View

Products Affected

mjdm

majordomo

CWE

CWE-79

Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting')

{"id": "CVE-2026-27176", "cveTags": [], "metrics": {"cvssMetricV31": [{"type": "Primary", "source": "disclosure@vulncheck.com", "cvssData": {"scope": "CHANGED", "version": "3.1", "baseScore": 6.1, "attackVector": "NETWORK", "baseSeverity": "MEDIUM", "vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:C/C:L/I:L/A:N", "integrityImpact": "LOW", "userInteraction": "REQUIRED", "attackComplexity": "LOW", "availabilityImpact": "NONE", "privilegesRequired": "NONE", "confidentialityImpact": "LOW"}, "impactScore": 2.7, "exploitabilityScore": 2.8}], "cvssMetricV40": [{"type": "Secondary", "source": "disclosure@vulncheck.com", "cvssData": {"Safety": "NOT_DEFINED", "version": "4.0", "Recovery": "NOT_DEFINED", "baseScore": 5.1, "Automatable": "NOT_DEFINED", "attackVector": "NETWORK", "baseSeverity": "MEDIUM", "valueDensity": "NOT_DEFINED", "vectorString": "CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:A/VC:N/VI:N/VA:N/SC:L/SI:L/SA:N/E:X/CR:X/IR:X/AR:X/MAV:X/MAC:X/MAT:X/MPR:X/MUI:X/MVC:X/MVI:X/MVA:X/MSC:X/MSI:X/MSA:X/S:X/AU:X/R:X/V:X/RE:X/U:X", "exploitMaturity": "NOT_DEFINED", "providerUrgency": "NOT_DEFINED", "userInteraction": "ACTIVE", "attackComplexity": "LOW", "attackRequirements": "NONE", "privilegesRequired": "NONE", "subIntegrityImpact": "LOW", "vulnIntegrityImpact": "NONE", "integrityRequirement": "NOT_DEFINED", "modifiedAttackVector": "NOT_DEFINED", "subAvailabilityImpact": "NONE", "vulnAvailabilityImpact": "NONE", "availabilityRequirement": "NOT_DEFINED", "modifiedUserInteraction": "NOT_DEFINED", "modifiedAttackComplexity": "NOT_DEFINED", "subConfidentialityImpact": "LOW", "vulnConfidentialityImpact": "NONE", "confidentialityRequirement": "NOT_DEFINED", "modifiedAttackRequirements": "NOT_DEFINED", "modifiedPrivilegesRequired": "NOT_DEFINED", "modifiedSubIntegrityImpact": "NOT_DEFINED", "modifiedVulnIntegrityImpact": "NOT_DEFINED", "vulnerabilityResponseEffort": "NOT_DEFINED", "modifiedSubAvailabilityImpact": "NOT_DEFINED", "modifiedVulnAvailabilityImpact": "NOT_DEFINED", "modifiedSubConfidentialityImpact": "NOT_DEFINED", "modifiedVulnConfidentialityImpact": "NOT_DEFINED"}}]}, "published": "2026-02-18T22:16:25.440", "references": [{"url": "https://chocapikk.com/posts/2026/majordomo-revisited/", "tags": ["Third Party Advisory", "Exploit"], "source": "disclosure@vulncheck.com"}, {"url": "https://github.com/sergejey/majordomo/pull/1177", "tags": ["Issue Tracking", "Exploit"], "source": "disclosure@vulncheck.com"}, {"url": "https://www.vulncheck.com/advisories/majordomo-reflected-cross-site-scripting-in-commandphp", "tags": ["Third Party Advisory"], "source": "disclosure@vulncheck.com"}], "vulnStatus": "Analyzed", "weaknesses": [{"type": "Primary", "source": "disclosure@vulncheck.com", "description": [{"lang": "en", "value": "CWE-79"}]}], "descriptions": [{"lang": "en", "value": "MajorDoMo (aka Major Domestic Module) contains a reflected cross-site scripting (XSS) vulnerability in command.php. The $qry parameter is rendered directly into the HTML page without sanitization via htmlspecialchars(), both in an input field value attribute and in a paragraph element. An attacker can inject arbitrary JavaScript by crafting a URL with malicious content in the qry parameter."}, {"lang": "es", "value": "MajorDoMo (tambi\u00e9n conocido como Major Domestic Module) contiene una vulnerabilidad de cross-site scripting (XSS) reflejada en command.PHP. El par\u00e1metro $qry se renderiza directamente en la p\u00e1gina HTML sin sanitizaci\u00f3n a trav\u00e9s de htmlspecialchars(), tanto en un atributo de valor de campo de entrada como en un elemento de p\u00e1rrafo. Un atacante puede inyectar JavaScript arbitrario al crear una URL con contenido malicioso en el par\u00e1metro qry."}], "lastModified": "2026-02-20T20:01:03.647", "configurations": [{"nodes": [{"negate": false, "cpeMatch": [{"criteria": "cpe:2.3:a:mjdm:majordomo:-:*:*:*:*:*:*:*", "vulnerable": true, "matchCriteriaId": "7008978E-8DE1-4811-958F-3AFB3847B919"}], "operator": "OR"}]}], "sourceIdentifier": "disclosure@vulncheck.com"}