CVE-2026-27179

HIGH EPSS 37.0%
Published Feb 18, 20264mo ago · Modified Feb 20, 20264mo ago
8.8 CVSS 4.0
High
Find Similar
Published Feb 18, 2026 4mo ago
Last Modified Feb 20, 2026 4mo ago

Description

MajorDoMo (aka Major Domestic Module) contains an unauthenticated SQL injection vulnerability in the commands module. The commands_search.inc.php file directly interpolates the $_GET['parent'] parameter into multiple SQL queries without sanitization or parameterized queries. The commands module is loadable without authentication via the /objects/?module=commands endpoint, which includes arbitrary modules by name and calls their usual() method. Time-based blind SQL injection is exploitable using UNION SELECT SLEEP() syntax. Because MajorDoMo stores admin passwords as unsalted MD5 hashes in the users table, successful exploitation enables extraction of credentials and subsequent admin panel access.

CVSS Details

Base Score
8.8
Exploitability
Impact
Vector string
CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:N/VC:H/VI:L/VA:N/SC:N/SI:N/SA:N/E:X/CR:X/IR:X/AR:X/MAV:X/MAC:X/MAT:X/MPR:X/MUI:X/MVC:X/MVI:X/MVA:X/MSC:X/MSI:X/MSA:X/S:X/AU:X/R:X/V:X/RE:X/U:X
Attack Vector Network
Attack Complexity Low
Privileges Required None
User Interaction None
Scope X

Threat Intelligence

EPSS Exploit Probability
37.0% percentile
Exploit & Patch Status
Public Exploit Known
No Patch Available

Weaknesses 1

CWE-89 SQL Injection Injection

Affected Products 1

VendorProductVersionRange
mjdmmajordomo*any

References 3

  • chocapikk.com https://chocapikk.com/posts/2026/majordomo-revisited/
    Third Party AdvisoryExploit
  • github.com https://github.com/sergejey/majordomo/pull/1177
    ExploitIssue Tracking
  • vulncheck.com https://www.vulncheck.com/advisories/majordomo-unauthenticated-sql-injection-in-commands-module
    Third Party Advisory

Remediation

No remediation data recorded yet

Check vendor advisories and the NVD entry for patch availability.