CVE-2026-27179
moderate-risk
Published 2026-02-18
MajorDoMo (aka Major Domestic Module) contains an unauthenticated SQL injection vulnerability in the commands module. The commands_search.inc.php file directly interpolates the $_GET['parent'] parameter into multiple SQL queries without sanitization or parameterized queries. The commands module is loadable without authentication via the /objects/?module=commands endpoint, which includes arbitrary modules by name and calls their usual() method. Time-based blind SQL injection is exploitable using UNION SELECT SLEEP() syntax. Because MajorDoMo stores admin passwords as unsalted MD5 hashes in the users table, successful exploitation enables extraction of credentials and subsequent admin panel access.
Do I need to act?
-
0.04% chance of exploitation
EPSS score — low exploit probability
-
Not on CISA KEV list
No confirmed active exploitation reported to CISA
?
Patch status unknown
Check vendor advisories for fix availability and mitigation guidance
8
CVSS 8.2/10
High
NETWORK
/ LOW complexity
Affected Products (1)
Affected Vendors
References (3)
Third Party Advisory
https://chocapikk.com/posts/2026/majordomo-revisited/
Third Party Advisory
https://www.vulncheck.com/advisories/majordomo-unauthenticated-sql-injection-in-...
33
/ 100
moderate-risk
Severity
28/34 · Critical
Exploitability
0/34 · Minimal
Exposure
5/34 · Minimal