CVE-2026-27175

high-risk

Published 2026-02-18

MajorDoMo (aka Major Domestic Module) is vulnerable to unauthenticated OS command injection via rc/index.php. The $param variable from user input is interpolated into a command string within double quotes without sanitization via escapeshellarg(). The command is inserted into a database queue by safe_exec(), which performs no sanitization. The cycle_execs.php script, which is web-accessible without authentication, retrieves queued commands and passes them directly to exec(). An attacker can exploit a race condition by first triggering cycle_execs.php (which purges the queue and enters a polling loop), then injecting a malicious command via the rc endpoint while the worker is polling. The injected shell metacharacters expand inside double quotes, achieving remote code execution within one second.

Do I need to act?

25.2% chance of exploitation in next 30 days

EPSS score — higher than 75% of all CVEs

Not on CISA KEV list

No confirmed active exploitation reported to CISA

Patch status unknown

Check vendor advisories for fix availability and mitigation guidance

CVSS 9.8/10 Critical

NETWORK / LOW complexity

Affected Products (1)

Majordomo

Affected Vendors

Mjdm

References (3)

Third Party Advisory https://chocapikk.com/posts/2026/majordomo-revisited/

Issue Tracking https://github.com/sergejey/majordomo/pull/1177

Third Party Advisory https://www.vulncheck.com/advisories/majordomo-command-injection-in-rcindexphp-v...

/ 100

high-risk

Severity 32/34 · Critical

Exploitability 15/34 · Moderate

Exposure 5/34 · Minimal