Unrated severityNVD Advisory· Published Feb 18, 2026· Updated Mar 5, 2026
MajorDoMo Reflected Cross-Site Scripting in command.php
CVE-2026-27176
Description
MajorDoMo (aka Major Domestic Module) contains a reflected cross-site scripting (XSS) vulnerability in command.php. The $qry parameter is rendered directly into the HTML page without sanitization via htmlspecialchars(), both in an input field value attribute and in a paragraph element. An attacker can inject arbitrary JavaScript by crafting a URL with malicious content in the qry parameter.
Affected products
2- sergejey/MajorDoMov5Range: 0
Patches
0No patches discovered yet.
Vulnerability mechanics
AI mechanics synthesis has not run for this CVE yet.
References
3- github.com/sergejey/majordomo/pull/1177mitrepatch
- chocapikk.com/posts/2026/majordomo-revisited/mitrethird-party-advisory
- www.vulncheck.com/advisories/majordomo-reflected-cross-site-scripting-in-commandphpmitrethird-party-advisory
News mentions
0No linked articles in our index yet.