CVE-2026-27174
published 2026-02-18CVE-2026-27174: MajorDoMo (aka Major Domestic Module) allows unauthenticated remote code execution via the admin panel's PHP console feature. An include order bug in…
PriorityP189critical9.8CVSS 3.1
AVNACLPRNUINSUCHIHAH
ITWEXPLOITVulnCheck KEVInitial access
Exploited in the wild
EPSS
7.00%
93.4th percentile
MajorDoMo (aka Major Domestic Module) allows unauthenticated remote code execution via the admin panel's PHP console feature. An include order bug in modules/panel.class.php causes execution to continue past a redirect() call that lacks an exit statement, allowing unauthenticated requests to reach the ajax handler in inc_panel_ajax.php. The console handler within that file passes user-supplied input from GET parameters (via register_globals) directly to eval() without any authentication check. An attacker can execute arbitrary PHP code by sending a crafted GET request to /admin.php with ajax_panel, op, and command parameters.
Affected
1 ranges
| Vendor | Product | Version range | Fixed in |
|---|---|---|---|
| sergejey | majordomo | <= * | — |
Detection & IOCsextracted from sources · hover to see the quote
- →Detect exploitation attempts by monitoring GET requests to /admin.php containing all three parameters: ajax_panel=1, op=console, and a command parameter — no authentication required by the attacker. ↗
- →Flag unauthenticated GET requests to /admin.php where op=console and ajax_panel=1; the vulnerability bypasses auth due to missing exit after redirect() in modules/panel.class.php. ↗
- →Fingerprint exposed MajorDoMo instances using FOFA/Shodan queries for body containing 'templates/application.html' to identify attack surface. ↗
- →The user-supplied command parameter is passed directly to eval() via evalConsole(); monitor for PHP eval execution of user-controlled input originating from GET parameters in the MajorDoMo process. ↗
- →Parameters are injected via MajorDoMo's register_globals-style gr() function; look for GET-based parameter injection patterns (ajax_panel, op, command) in web server access logs. ↗
- ·All versions of MajorDoMo up to and including the latest release are affected; no patched version is available yet — the fix is only tracked as a pending PR. ↗
- ·Exploitation requires only a single unauthenticated GET request; no session, cookie, or prior interaction is needed, making automated scanning trivial. ↗
- ·The vulnerability is rooted in register_globals-style input handling (gr() function); blocking or sanitizing GET parameters at a WAF level for the /admin.php endpoint is a viable interim mitigation. ↗
CVSS provenance
nvdv3.19.8CRITICALCVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H
nvdv4.09.3CRITICALCVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:N/VC:H/VI:H/VA:H/SC:N/SI:N/SA:N/E:X/CR:X/IR:X/AR:X/MAV:X/MAC:X/MAT:X/MPR:X/MUI:X/MVC:X/MVI:X/MVA:X/MSC:X/MSI:X/MSA:X/S:X/AU:X/R:X/V:X/RE:X/U:X
vulncheck9.3CRITICAL
CVEs like this are exactly what “Exploited This Week” covers.
Every Monday: what got weaponized or added to CISA KEV in the last seven days — each CVE cross-linked to its PoC, Nuclei template, and detection rule. Free, one email a week, unsubscribe in one click.
GHSA
GHSA-8p47-wg5j-hm56: MajorDoMo (aka Major Domestic Module) allows unauthenticated remote code execution via the admin panel's PHP console feature
ghsa_unreviewed·2026-02-19
CVE-2026-27174 [CRITICAL] CWE-94 GHSA-8p47-wg5j-hm56: MajorDoMo (aka Major Domestic Module) allows unauthenticated remote code execution via the admin panel's PHP console feature
MajorDoMo (aka Major Domestic Module) allows unauthenticated remote code execution via the admin panel's PHP console feature. An include order bug in modules/panel.class.php causes execution to continue past a redirect() call that lacks an exit statement, allowing unauthenticated requests to reach the ajax handler in inc_panel_ajax.php. The console handler within that file passes user-supplied input from GET parameters (via register_globals) directly to eval() without any authentication check. An attacker can execute arbitrary PHP code by sending a crafted GET request to /admin.php with ajax_panel, op, and command parameters.
VulnCheck
mjdm majordomo Improper Control of Generation of Code ('Code Injection')
vulncheck·2026·CVSS 9.3
CVE-2026-27174 [CRITICAL] mjdm majordomo Improper Control of Generation of Code ('Code Injection')
mjdm majordomo Improper Control of Generation of Code ('Code Injection')
MajorDoMo (aka Major Domestic Module) allows unauthenticated remote code execution via the admin panel's PHP console feature. An include order bug in modules/panel.class.php causes execution to continue past a redirect() call that lacks an exit statement, allowing unauthenticated requests to reach the ajax handler in inc_panel_ajax.php. The console handler within that file passes user-supplied input from GET parameters (via register_globals) directly to eval() without any authentication check. An attacker can execute arbitrary PHP code by sending a crafted GET request to /admin.php with ajax_panel, op, and command parameters.
Affected: mjdm majordomo
Required Action: Apply remediations or mitigations per vendor ins
No detection rules found.
Nuclei
MajorDoMo - Unauthenticated RCE
nuclei·CVSS 9.3
CVE-2026-27174 [CRITICAL] MajorDoMo - Unauthenticated RCE
MajorDoMo - Unauthenticated RCE
MajorDoMo contains a remote code execution caused by an include order bug and lack of exit after redirect in admin panel's PHP console, letting unauthenticated attackers execute arbitrary PHP code via crafted GET requests.
Template:
id: CVE-2026-27174
info:
name: MajorDoMo - Unauthenticated RCE
author: 0x_Akoko
severity: critical
description: |
MajorDoMo contains a remote code execution caused by an include order bug and lack of exit after redirect in admin panel's PHP console, letting unauthenticated attackers execute arbitrary PHP code via crafted GET requests.
impact: |
Unauthenticated attackers can execute arbitrary PHP code remotely, potentially leading to full system compromise.
remediation: |
Update to the latest version with the fix for the inclu
Metasploit
MajorDoMo Console Eval Unauthenticated RCE
metasploit
MajorDoMo Console Eval Unauthenticated RCE
MajorDoMo Console Eval Unauthenticated RCE
This module exploits an unauthenticated remote code execution vulnerability in MajorDoMo, an open-source home automation platform. The admin panel's PHP console is accessible without authentication due to a missing exit after redirect in modules/panel.class.php. The redirect("/") call intended to block unauthenticated users lacks an exit statement, so execution continues into the ajax panel handler which includes inc_panel_ajax.php unconditionally. Inside, the console handler passes the user-supplied command parameter directly to eval() via the evalConsole() function. The command, ajax_panel, and op parameters are all controllable via GET request through MajorDoMo's register_globals-style gr() function. This results in unauthenticated PHP code ev
Hackernews
⚡ Weekly Recap: Exchange 0-Day, npm Worm, Fake AI Repo, Cisco Exploit and More
blogs_hackernews·2026-05-18·CVSS 6.1
CVE-2026-42897 [MEDIUM] ⚡ Weekly Recap: Exchange 0-Day, npm Worm, Fake AI Repo, Cisco Exploit and More
Home
Threat Intelligence
Vulnerabilities
Cyber Attacks
Webinars
Expert Insights
Awards
Webinars
Awards
Free eBooks
About THN
Jobs
Advertise with us
## ⚡ Weekly Recap: Exchange 0-Day, npm Worm, Fake AI Repo, Cisco Exploit and More
Monday opens with a trust problem. A mail server flaw is under active use. A network control system was targeted. Trusted packages were poisoned. A fake model page pushed a stealer. Then came the familiar ransom claim: the data was returned and deleted.
The pattern is clear. One weak dependency can leak keys. One leaked key can open cloud access. One cloud foothold can become a production incident. AI is speeding up vulnerability discovery, attackers are moving quickly, and old exposure still keeps paying off.
Patch the quiet risks first. Let’s g
Hackernews
ThreatsDay Bulletin: $290M DeFi Hack, macOS LotL Abuse, ProxySmart SIM Farms +25 New Stories
blogs_hackernews·2026-04-23
CVE-2026-27175 ThreatsDay Bulletin: $290M DeFi Hack, macOS LotL Abuse, ProxySmart SIM Farms +25 New Stories
Home
Threat Intelligence
Vulnerabilities
Cyber Attacks
Webinars
Expert Insights
Awards
Webinars
Awards
Free eBooks
About THN
Jobs
Advertise with us
## ThreatsDay Bulletin: $290M DeFi Hack, macOS LotL Abuse, ProxySmart SIM Farms +25 New Stories
You scroll past one incident and see another that feels familiar, like it should have been fixed years ago, but it still works with small changes. Same bugs. Same mistakes.
The supply chain is messy. Packages you did not check are stealing data, adding backdoors, and spreading. Attacking the systems behind apps is easier than breaking the apps themselves. The exploits are simple but still work, giving attackers easy access.
AI tools are also part of the problem now. They trust bad input and take real actions, which makes the damage
2026-02-18
Published
Exploited in the wild