Description
MajorDoMo (aka Major Domestic Module) contains a reflected cross-site scripting (XSS) vulnerability in command.php. The $qry parameter is rendered directly into the HTML page without sanitization via htmlspecialchars(), both in an input field value attribute and in a paragraph element. An attacker can inject arbitrary JavaScript by crafting a URL with malicious content in the qry parameter.
Published: 2026-02-18
Score: 5.1 Medium
EPSS: < 1% Very Low
KEV: No
Impact: Cross-site scripting
Action: Patch Now
AI Analysis

Impact

A reflected cross‑site scripting flaw exists in the MajorDoMo home‑automation platform, located in command.php. The input parameter $qry is incorporated into the HTML output without proper sanitization and is rendered in both an input field and a paragraph element. This allows an attacker to embed arbitrary JavaScript in a URL that, when visited, is executed in the context of the user’s browser, potentially leading to credential theft, session hijacking, or defacement.

Affected Systems

The vulnerability affects installations of the MajorDoMo system, specifically the community project managed by the sergejey vendor. No version numbers are listed in the CNA data, so any deployment that has not yet applied the recent patch referenced in the official pull request could be exposed.

Risk and Exploitability

The CVSS score of 5.1 indicates moderate severity, and the EPSS score of less than 1% suggests a low probability of exploitation at this time. The vulnerability is not listed in the CISA KEV catalog. Attackers can exploit it by crafting and directing a victim to a URL that includes malicious content in the qry parameter, a method that requires no authentication and can be performed over an unauthenticated web connection.

Generated by OpenCVE AI on April 16, 2026 at 17:05 UTC.

Remediation

No vendor fix or workaround currently provided.

OpenCVE Recommended Actions

  • Apply the vendor patch to command.php, which removes the unsanitized echo of the $qry parameter
  • When patching is not immediately possible, implement output encoding on the $qry variable using htmlspecialchars() or an equivalent function before rendering it in any attribute or element
  • Deploy a Web Application Firewall rule to block or sanitize requests containing suspicious characters in the qry parameter so that arbitrary JavaScript cannot be reflected back to users

Generated by OpenCVE AI on April 16, 2026 at 17:05 UTC.

Tracking

Sign in to view the affected projects.

Advisories

No advisories yet.

History

Fri, 20 Feb 2026 20:15:00 +0000

Type Values Removed Values Added
First Time appeared Mjdm
Mjdm majordomo
CPEs cpe:2.3:a:mjdm:majordomo:-:*:*:*:*:*:*:*
Vendors & Products Mjdm
Mjdm majordomo
Metrics ssvc

{'options': {'Automatable': 'no', 'Exploitation': 'none', 'Technical Impact': 'partial'}, 'version': '2.0.3'}

Wed, 18 Feb 2026 21:30:00 +0000

Type Values Removed Values Added
Description MajorDoMo (aka Major Domestic Module) contains a reflected cross-site scripting (XSS) vulnerability in command.php. The $qry parameter is rendered directly into the HTML page without sanitization via htmlspecialchars(), both in an input field value attribute and in a paragraph element. An attacker can inject arbitrary JavaScript by crafting a URL with malicious content in the qry parameter.
Title MajorDoMo Reflected Cross-Site Scripting in command.php
First Time appeared Sergejey
Sergejey majordomo
Weaknesses CWE-79
CPEs cpe:2.3:a:sergejey:majordomo:*:*:*:*:*:*:*:*
Vendors & Products Sergejey
Sergejey majordomo
References
Metrics cvssV3_1

{'score': 6.1, 'vector': 'CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:C/C:L/I:L/A:N'}

cvssV4_0

{'score': 5.1, 'vector': 'CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:A/VC:N/VI:N/VA:N/SC:L/SI:L/SA:N'}

Subscriptions

Mjdm Majordomo
Sergejey Majordomo
cve-icon MITRE

Status: PUBLISHED

Assigner: VulnCheck

Published:

Updated: 2026-03-05T01:31:11.864Z

Reserved: 2026-02-18T15:22:30.053Z

Link: CVE-2026-27176

cve-icon Vulnrichment

Updated: 2026-02-20T19:31:13.945Z

cve-icon NVD

Status : Analyzed

Published: 2026-02-18T22:16:25.440

Modified: 2026-02-20T20:01:03.647

Link: CVE-2026-27176

cve-icon Redhat

No data.

cve-icon OpenCVE Enrichment

Updated: 2026-04-16T17:15:17Z

Weaknesses