cbcvebase.
CVE-2026-27174
published 2026-02-18

CVE-2026-27174: MajorDoMo (aka Major Domestic Module) allows unauthenticated remote code execution via the admin panel's PHP console feature. An include order bug in…

PriorityP189critical9.8CVSS 3.1
AVNACLPRNUINSUCHIHAH
ITWEXPLOITVulnCheck KEVInitial access
Exploited in the wild
EPSS
7.00%
93.4th percentile
MajorDoMo (aka Major Domestic Module) allows unauthenticated remote code execution via the admin panel's PHP console feature. An include order bug in modules/panel.class.php causes execution to continue past a redirect() call that lacks an exit statement, allowing unauthenticated requests to reach the ajax handler in inc_panel_ajax.php. The console handler within that file passes user-supplied input from GET parameters (via register_globals) directly to eval() without any authentication check. An attacker can execute arbitrary PHP code by sending a crafted GET request to /admin.php with ajax_panel, op, and command parameters.

Affected

1 ranges
VendorProductVersion rangeFixed in
sergejeymajordomo<= *

Detection & IOCsextracted from sources · hover to see the quote

url/admin.php?ajax_panel=1&op=console&command=echo+file_get_contents%28%27%2Fetc%2Fpasswd%27%29%3B
path/admin.php
pathmodules/panel.class.php
pathinc_panel_ajax.php
  • Detect exploitation attempts by monitoring GET requests to /admin.php containing all three parameters: ajax_panel=1, op=console, and a command parameter — no authentication required by the attacker.
  • Flag unauthenticated GET requests to /admin.php where op=console and ajax_panel=1; the vulnerability bypasses auth due to missing exit after redirect() in modules/panel.class.php.
  • Fingerprint exposed MajorDoMo instances using FOFA/Shodan queries for body containing 'templates/application.html' to identify attack surface.
  • The user-supplied command parameter is passed directly to eval() via evalConsole(); monitor for PHP eval execution of user-controlled input originating from GET parameters in the MajorDoMo process.
  • Parameters are injected via MajorDoMo's register_globals-style gr() function; look for GET-based parameter injection patterns (ajax_panel, op, command) in web server access logs.
  • ·All versions of MajorDoMo up to and including the latest release are affected; no patched version is available yet — the fix is only tracked as a pending PR.
  • ·Exploitation requires only a single unauthenticated GET request; no session, cookie, or prior interaction is needed, making automated scanning trivial.
  • ·The vulnerability is rooted in register_globals-style input handling (gr() function); blocking or sanitizing GET parameters at a WAF level for the /admin.php endpoint is a viable interim mitigation.

CVSS provenance

nvdv3.19.8CRITICALCVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H
nvdv4.09.3CRITICALCVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:N/VC:H/VI:H/VA:H/SC:N/SI:N/SA:N/E:X/CR:X/IR:X/AR:X/MAV:X/MAC:X/MAT:X/MPR:X/MUI:X/MVC:X/MVI:X/MVA:X/MSC:X/MSI:X/MSA:X/S:X/AU:X/R:X/V:X/RE:X/U:X
vulncheck9.3CRITICAL
CVEs like this are exactly what “Exploited This Week” covers.

Every Monday: what got weaponized or added to CISA KEV in the last seven days — each CVE cross-linked to its PoC, Nuclei template, and detection rule. Free, one email a week, unsubscribe in one click.