CVE-2026-27174

  1. OpenCVE
  2. Vulnerabilities (CVE)
  3. CVE-2026-27174
MajorDoMo (aka Major Domestic Module) allows unauthenticated remote code execution via the admin panel's PHP console feature. An include order bug in modules/panel.class.php causes execution to continue past a redirect() call that lacks an exit statement, allowing unauthenticated requests to reach the ajax handler in inc_panel_ajax.php. The console handler within that file passes user-supplied input from GET parameters (via register_globals) directly to eval() without any authentication check. An attacker can execute arbitrary PHP code by sending a crafted GET request to /admin.php with ajax_panel, op, and command parameters.

9.8 /10

CVSS v3 : CRITICAL

V3 Legend

Vector :

Exploitability : 3.9 / Impact : 5.9

Attack Vector NETWORK

Attack Complexity LOW

Privileges Required NONE

User Interaction NONE

Confidentiality Impact HIGH

Integrity Impact HIGH

Availability Impact HIGH

Scope UNCHANGED

References
Link Resource
https://chocapikk.com/posts/2026/majordomo-revisited/ Third Party Advisory Exploit
https://github.com/sergejey/majordomo/pull/1177 Issue Tracking Exploit
https://www.vulncheck.com/advisories/majordomo-unauthenticated-remote-code-execution-via-admin-console-eval Third Party Advisory
Configurations

Configuration 1 (hide)

cpe:2.3:a:mjdm:majordomo:-:*:*:*:*:*:*:*
History

20 Feb 2026, 20:02

Type Values Removed Values Added
CPE cpe:2.3:a:mjdm:majordomo:-:*:*:*:*:*:*:*
First Time Mjdm
Mjdm majordomo
References () https://chocapikk.com/posts/2026/majordomo-revisited/ - () https://chocapikk.com/posts/2026/majordomo-revisited/ - Third Party Advisory, Exploit
References () https://github.com/sergejey/majordomo/pull/1177 - () https://github.com/sergejey/majordomo/pull/1177 - Issue Tracking, Exploit
References () https://www.vulncheck.com/advisories/majordomo-unauthenticated-remote-code-execution-via-admin-console-eval - () https://www.vulncheck.com/advisories/majordomo-unauthenticated-remote-code-execution-via-admin-console-eval - Third Party Advisory
Summary
  • (es) MajorDoMo (también conocido como Major Domestic Module) permite la ejecución remota de código no autenticada a través de la función de consola PHP del panel de administración. Un error de orden de inclusión en modules/panel.class.php provoca que la ejecución continúe más allá de una llamada a redirect() que carece de una declaración exit, permitiendo que las solicitudes no autenticadas lleguen al manejador ajax en inc_panel_ajax.php. El manejador de consola dentro de ese archivo pasa la entrada proporcionada por el usuario desde los parámetros GET (a través de register_globals) directamente a eval() sin ninguna verificación de autenticación. Un atacante puede ejecutar código PHP arbitrario enviando una solicitud GET manipulada a /admin.php con los parámetros ajax_panel, op y command.

18 Feb 2026, 22:16

Type Values Removed Values Added
New CVE
Information

Published : 2026-02-18 22:16

Updated : 2026-02-20 20:02

NVD link : CVE-2026-27174

Mitre link : CVE-2026-27174

CVE.ORG link : CVE-2026-27174

JSON object : View

Products Affected

mjdm

  • majordomo
CWE
CWE-94

Improper Control of Generation of Code ('Code Injection')