CVE-2026-27179

  1. OpenCVE
  2. Vulnerabilities (CVE)
  3. CVE-2026-27179
MajorDoMo (aka Major Domestic Module) contains an unauthenticated SQL injection vulnerability in the commands module. The commands_search.inc.php file directly interpolates the $_GET['parent'] parameter into multiple SQL queries without sanitization or parameterized queries. The commands module is loadable without authentication via the /objects/?module=commands endpoint, which includes arbitrary modules by name and calls their usual() method. Time-based blind SQL injection is exploitable using UNION SELECT SLEEP() syntax. Because MajorDoMo stores admin passwords as unsalted MD5 hashes in the users table, successful exploitation enables extraction of credentials and subsequent admin panel access.

8.2 /10

CVSS v3 : HIGH

V3 Legend

Vector :

Exploitability : 3.9 / Impact : 4.2

Attack Vector NETWORK

Attack Complexity LOW

Privileges Required NONE

User Interaction NONE

Confidentiality Impact HIGH

Integrity Impact LOW

Availability Impact NONE

Scope UNCHANGED

References
Link Resource
https://chocapikk.com/posts/2026/majordomo-revisited/ Third Party Advisory Exploit
https://github.com/sergejey/majordomo/pull/1177 Exploit Issue Tracking
https://www.vulncheck.com/advisories/majordomo-unauthenticated-sql-injection-in-commands-module Third Party Advisory
Configurations

Configuration 1 (hide)

cpe:2.3:a:mjdm:majordomo:-:*:*:*:*:*:*:*
History

20 Feb 2026, 19:56

Type Values Removed Values Added
Summary
  • (es) MajorDoMo (también conocido como Major Domestic Module) contiene una vulnerabilidad de inyección SQL no autenticada en el módulo de comandos. El archivo commands_search.inc.php interpola directamente el parámetro $_GET['parent'] en múltiples consultas SQL sin saneamiento o consultas parametrizadas. Se puede cargar el módulo de comandos sin autenticación a través del endpoint /objects/?module=commands, que incluye módulos arbitrarios por nombre y llama a su método usual(). Es posible explotar la inyección SQL ciega basada en tiempo usando la sintaxis UNION SELECT SLEEP(). Debido a que MajorDoMo almacena las contraseñas de administrador como hashes MD5 sin sal en la tabla de usuarios, en caso de que se eplote con éxito se puede extraer credenciales y, posteriormente, acceder al panel de administración.
CPE cpe:2.3:a:mjdm:majordomo:-:*:*:*:*:*:*:*
References () https://chocapikk.com/posts/2026/majordomo-revisited/ - () https://chocapikk.com/posts/2026/majordomo-revisited/ - Third Party Advisory, Exploit
References () https://github.com/sergejey/majordomo/pull/1177 - () https://github.com/sergejey/majordomo/pull/1177 - Exploit, Issue Tracking
References () https://www.vulncheck.com/advisories/majordomo-unauthenticated-sql-injection-in-commands-module - () https://www.vulncheck.com/advisories/majordomo-unauthenticated-sql-injection-in-commands-module - Third Party Advisory
First Time Mjdm
Mjdm majordomo

18 Feb 2026, 22:16

Type Values Removed Values Added
New CVE
Information

Published : 2026-02-18 22:16

Updated : 2026-02-20 19:56

NVD link : CVE-2026-27179

Mitre link : CVE-2026-27179

CVE.ORG link : CVE-2026-27179

JSON object : View

Products Affected

mjdm

  • majordomo
CWE
CWE-89

Improper Neutralization of Special Elements used in an SQL Command ('SQL Injection')