CVE-2026-27180

{"id": "CVE-2026-27180", "cveTags": [], "metrics": {"cvssMetricV31": [{"type": "Primary", "source": "disclosure@vulncheck.com", "cvssData": {"scope": "UNCHANGED", "version": "3.1", "baseScore": 9.8, "attackVector": "NETWORK", "baseSeverity": "CRITICAL", "vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H", "integrityImpact": "HIGH", "userInteraction": "NONE", "attackComplexity": "LOW", "availabilityImpact": "HIGH", "privilegesRequired": "NONE", "confidentialityImpact": "HIGH"}, "impactScore": 5.9, "exploitabilityScore": 3.9}], "cvssMetricV40": [{"type": "Secondary", "source": "disclosure@vulncheck.com", "cvssData": {"Safety": "NOT_DEFINED", "version": "4.0", "Recovery": "NOT_DEFINED", "baseScore": 9.3, "Automatable": "NOT_DEFINED", "attackVector": "NETWORK", "baseSeverity": "CRITICAL", "valueDensity": "NOT_DEFINED", "vectorString": "CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:N/VC:H/VI:H/VA:H/SC:N/SI:N/SA:N/E:X/CR:X/IR:X/AR:X/MAV:X/MAC:X/MAT:X/MPR:X/MUI:X/MVC:X/MVI:X/MVA:X/MSC:X/MSI:X/MSA:X/S:X/AU:X/R:X/V:X/RE:X/U:X", "exploitMaturity": "NOT_DEFINED", "providerUrgency": "NOT_DEFINED", "userInteraction": "NONE", "attackComplexity": "LOW", "attackRequirements": "NONE", "privilegesRequired": "NONE", "subIntegrityImpact": "NONE", "vulnIntegrityImpact": "HIGH", "integrityRequirement": "NOT_DEFINED", "modifiedAttackVector": "NOT_DEFINED", "subAvailabilityImpact": "NONE", "vulnAvailabilityImpact": "HIGH", "availabilityRequirement": "NOT_DEFINED", "modifiedUserInteraction": "NOT_DEFINED", "modifiedAttackComplexity": "NOT_DEFINED", "subConfidentialityImpact": "NONE", "vulnConfidentialityImpact": "HIGH", "confidentialityRequirement": "NOT_DEFINED", "modifiedAttackRequirements": "NOT_DEFINED", "modifiedPrivilegesRequired": "NOT_DEFINED", "modifiedSubIntegrityImpact": "NOT_DEFINED", "modifiedVulnIntegrityImpact": "NOT_DEFINED", "vulnerabilityResponseEffort": "NOT_DEFINED", "modifiedSubAvailabilityImpact": "NOT_DEFINED", "modifiedVulnAvailabilityImpact": "NOT_DEFINED", "modifiedSubConfidentialityImpact": "NOT_DEFINED", "modifiedVulnConfidentialityImpact": "NOT_DEFINED"}}]}, "published": "2026-02-18T22:16:26.153", "references": [{"url": "https://chocapikk.com/posts/2026/majordomo-revisited/", "tags": ["Exploit", "Third Party Advisory"], "source": "disclosure@vulncheck.com"}, {"url": "https://github.com/sergejey/majordomo/pull/1177", "tags": ["Exploit", "Issue Tracking"], "source": "disclosure@vulncheck.com"}, {"url": "https://www.vulncheck.com/advisories/majordomo-supply-chain-remote-code-execution-via-update-url-poisoning", "tags": ["Third Party Advisory"], "source": "disclosure@vulncheck.com"}], "vulnStatus": "Analyzed", "weaknesses": [{"type": "Primary", "source": "disclosure@vulncheck.com", "description": [{"lang": "en", "value": "CWE-494"}]}], "descriptions": [{"lang": "en", "value": "MajorDoMo (aka Major Domestic Module) is vulnerable to unauthenticated remote code execution through supply chain compromise via update URL poisoning. The saverestore module exposes its admin() method through the /objects/?module=saverestore endpoint without authentication because it uses gr('mode') (which reads directly from $_REQUEST) instead of the framework's $this->mode. An attacker can poison the system update URL via the auto_update_settings mode handler, then trigger the force_update handler to initiate the update chain. The autoUpdateSystem() method fetches an Atom feed from the attacker-controlled URL with trivial validation, downloads a tarball via curl with TLS verification disabled (CURLOPT_SSL_VERIFYPEER set to FALSE), extracts it using exec('tar xzvf ...'), and copies all extracted files to the document root using copyTree(). This allows an attacker to deploy arbitrary PHP files, including webshells, to the webroot with two GET requests."}, {"lang": "es", "value": "MajorDoMo (tambi\u00e9n conocido como Major Domestic Module) es vulnerable a la ejecuci\u00f3n remota de c\u00f3digo no autenticada a trav\u00e9s de un compromiso de la cadena de suministro mediante el envenenamiento de la URL de actualizaci\u00f3n. El m\u00f3dulo saverestore expone su m\u00e9todo admin() a trav\u00e9s del endpoint /objects/?module=saverestore sin autenticaci\u00f3n porque usa gr('mode') (que lee directamente de $_REQUEST) en lugar del $this->mode del framework. Un atacante puede envenenar la URL de actualizaci\u00f3n del sistema a trav\u00e9s del manejador de modo auto_update_settings, y luego activar el manejador force_update para iniciar la cadena de actualizaci\u00f3n. El m\u00e9todo autoUpdateSystem() obtiene un feed Atom de la URL controlada por el atacante con una validaci\u00f3n trivial, descarga un tarball v\u00eda curl con la verificaci\u00f3n TLS deshabilitada (CURLOPT_SSL_VERIFYPEER establecido en FALSE), lo extrae usando exec('tar xzvf ...'), y copia todos los archivos extra\u00eddos a la ra\u00edz del documento usando copyTree(). Esto permite a un atacante desplegar archivos PHP arbitrarios, incluyendo webshells, en la ra\u00edz web con dos solicitudes GET."}], "lastModified": "2026-02-20T19:51:21.530", "configurations": [{"nodes": [{"negate": false, "cpeMatch": [{"criteria": "cpe:2.3:a:mjdm:majordomo:-:*:*:*:*:*:*:*", "vulnerable": true, "matchCriteriaId": "7008978E-8DE1-4811-958F-3AFB3847B919"}], "operator": "OR"}]}], "sourceIdentifier": "disclosure@vulncheck.com"}