CVE-2026-27176 – MajorDoMo's command.php has a reflected XSS vul... (How to Fix)

Q: What is the severity of CVE-2026-27176?

CVE-2026-27176 has a CVSS score of 6.1 (MEDIUM). MajorDoMo's command.php has a reflected XSS vulnerability where the $qry parameter is directly inserted into HTML without sanitization. Attackers can craft malicious URLs to execute arbitrary JavaScript in victims' browsers. All MajorDoMo instances using vulnerable versions are affected.

📋 TL;DR

MajorDoMo's command.php has a reflected XSS vulnerability where the $qry parameter is directly inserted into HTML without sanitization. Attackers can craft malicious URLs to execute arbitrary JavaScript in victims' browsers. All MajorDoMo instances using vulnerable versions are affected.

💻 Affected Systems

Products:

MajorDoMo (Major Domestic Module)

Versions: All versions before the fix in pull request #1177

Operating Systems: All

Default Config Vulnerable: ⚠️ Yes

Notes: Vulnerability exists in default installation when command.php is accessible.

📦 What is this software?

Majordomo by Mjdm

View all CVEs affecting Majordomo →

⚠️ Risk & Real-World Impact

🔴

Worst Case

Attackers steal session cookies, hijack user accounts, perform actions as authenticated users, or redirect to malicious sites.

🟠

Likely Case

Session hijacking, credential theft, or defacement of the web interface through crafted phishing links.

🟢

If Mitigated

Limited impact if input validation, output encoding, or WAF rules block malicious payloads.

🌐 Internet-Facing: HIGH

🏢 Internal Only: MEDIUM

🎯 Exploit Status

Public PoC: ⚠️ Yes

Weaponized: LIKELY

Unauthenticated Exploit: ⚠️ Yes

Complexity: LOW

Exploitation requires user interaction (clicking malicious link). Proof-of-concept details are publicly available.

🛠️ Fix & Mitigation

✅ Official Fix

Patch Version: Version including pull request #1177

Vendor Advisory: https://github.com/sergejey/majordomo/pull/1177

Restart Required: No

Instructions:

1. Update MajorDoMo to version including pull request #1177. 2. Apply the patch that adds htmlspecialchars() to sanitize $qry parameter output. 3. No restart needed for PHP changes.

🔧 Temporary Workarounds

Input Validation Filter

all

Add input validation to reject or sanitize malicious qry parameter values before processing.

Modify command.php to validate $qry parameter using regex or whitelist allowed characters.

WAF Rule

all

Deploy Web Application Firewall rules to block requests containing JavaScript in qry parameter.

🧯 If You Can't Patch

Restrict access to command.php using network ACLs or authentication.
Implement Content Security Policy (CSP) headers to mitigate XSS impact.

🔍 How to Verify

Check if Vulnerable:

Test by accessing command.php with qry parameter containing <script>alert('XSS')</script> and check if script executes.

Check Version:

Check MajorDoMo version in admin interface or review source code for htmlspecialchars() usage in command.php.

Verify Fix Applied:

After patching, repeat the test; script should not execute and special characters should be HTML-encoded.

📡 Detection & Monitoring

Log Indicators:

HTTP requests to command.php with qry parameter containing script tags or JavaScript code.

Network Indicators:

Unusual spikes in requests to command.php with long or encoded parameters.

SIEM Query:

source="web_logs" AND uri="*command.php*" AND query="*qry=*script*"

📊 Metadata

CVE ID: CVE-2026-27176

CVSS v3 Score: 6.1 (MEDIUM)

CVSS Vector: CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:C/C:L/I:L/A:N

CWE: CWE-79

Published: February 18, 2026

Last Updated: February 20, 2026

🔗 References

https://chocapikk.com/posts/2026/majordomo-revisited/ Third Party Advisory,Exploit
https://github.com/sergejey/majordomo/pull/1177 Issue Tracking,Exploit
https://www.vulncheck.com/advisories/majordomo-reflected-cross-site-scripting-in-commandphp Third Party Advisory

📤 Share & Export

📄 Export Markdown 📋 Export JSON

🔗 Related Vulnerabilities

If you're affected by CVE-2026-27176, you might also want to check these: