Sergejey Majordomo vulnerabilities
8 known vulnerabilities affecting sergejey/majordomo.
Total CVEs
8
CISA KEV
0
Public exploits
4
Exploited in wild
2
Severity breakdown
CRITICAL4HIGH1MEDIUM3
Vulnerabilities
Page 1 of 1
CVE-2026-27174P1CRITICALCVSS 9.8ExploitedPoC≤ *2026-02-18
CVE-2026-27174 [CRITICAL] CWE-94 CVE-2026-27174: MajorDoMo (aka Major Domestic Module) allows unauthenticated remote code execution via the admin pan
MajorDoMo (aka Major Domestic Module) allows unauthenticated remote code execution via the admin panel's PHP console feature. An include order bug in modules/panel.class.php causes execution to continue past a redirect() call that lacks an exit statement, allowing unauthenticated requests to reach the ajax handler in inc_panel_ajax.php. The console
nvd
CVE-2026-27175P1CRITICALCVSS 9.8ExploitedPoC≤ *2026-02-18
CVE-2026-27175 [CRITICAL] CWE-78 CVE-2026-27175: MajorDoMo (aka Major Domestic Module) is vulnerable to unauthenticated OS command injection via rc/i
MajorDoMo (aka Major Domestic Module) is vulnerable to unauthenticated OS command injection via rc/index.php. The $param variable from user input is interpolated into a command string within double quotes without sanitization via escapeshellarg(). The command is inserted into a database queue by safe_exec(), which performs no sanitization. The cycl
nvd
CVE-2026-27180P2CRITICALCVSS 9.8PoC≤ *2026-02-18
CVE-2026-27180 [CRITICAL] CWE-494 CVE-2026-27180: MajorDoMo (aka Major Domestic Module) is vulnerable to unauthenticated remote code execution through
MajorDoMo (aka Major Domestic Module) is vulnerable to unauthenticated remote code execution through supply chain compromise via update URL poisoning. The saverestore module exposes its admin() method through the /objects/?module=saverestore endpoint without authentication because it uses gr('mode') (which reads directly from $_REQUEST) instead of
nvd
CVE-2026-27179P2CRITICALCVSS 9.8≤ *2026-02-18
CVE-2026-27179 [CRITICAL] CWE-89 CVE-2026-27179: MajorDoMo (aka Major Domestic Module) contains an unauthenticated SQL injection vulnerability in the
MajorDoMo (aka Major Domestic Module) contains an unauthenticated SQL injection vulnerability in the commands module. The commands_search.inc.php file directly interpolates the $_GET['parent'] parameter into multiple SQL queries without sanitization or parameterized queries. The commands module is loadable without authentication via the /objects/?m
nvd
CVE-2026-27176P3MEDIUMCVSS 6.1PoC≤ *2026-02-18
CVE-2026-27176 [MEDIUM] CWE-79 CVE-2026-27176: MajorDoMo (aka Major Domestic Module) contains a reflected cross-site scripting (XSS) vulnerability
MajorDoMo (aka Major Domestic Module) contains a reflected cross-site scripting (XSS) vulnerability in command.php. The $qry parameter is rendered directly into the HTML page without sanitization via htmlspecialchars(), both in an input field value attribute and in a paragraph element. An attacker can inject arbitrary JavaScript by crafting a URL with
nvd
CVE-2026-27181P3HIGHCVSS 7.5≤ *2026-02-18
CVE-2026-27181 [HIGH] CWE-862 CVE-2026-27181: MajorDoMo (aka Major Domestic Module) allows unauthenticated arbitrary module uninstallation through
MajorDoMo (aka Major Domestic Module) allows unauthenticated arbitrary module uninstallation through the market module. The market module's admin() method reads gr('mode') from $_REQUEST and assigns it to $this->mode at the start of execution, making all mode-gated code paths reachable without authentication via the /objects/?module=market endpoint. T
nvd
CVE-2026-27177P4MEDIUMCVSS 6.1≤ *2026-02-18
CVE-2026-27177 [MEDIUM] CWE-79 CVE-2026-27177: MajorDoMo (aka Major Domestic Module) contains a stored cross-site scripting (XSS) vulnerability via
MajorDoMo (aka Major Domestic Module) contains a stored cross-site scripting (XSS) vulnerability via the /objects/?op=set endpoint, which is intentionally unauthenticated for IoT device integration. User-supplied property values are stored raw in the database without sanitization. When an administrator views the property editor in the admin panel, th
nvd
CVE-2026-27178P4MEDIUMCVSS 6.1≤ *2026-02-18
CVE-2026-27178 [MEDIUM] CWE-79 CVE-2026-27178: MajorDoMo (aka Major Domestic Module) contains a stored cross-site scripting (XSS) vulnerability thr
MajorDoMo (aka Major Domestic Module) contains a stored cross-site scripting (XSS) vulnerability through method parameter injection into the shoutbox. The /objects/?method= endpoint allows unauthenticated execution of stored methods with attacker-controlled parameters. Default methods such as ThisComputer.VolumeLevelChanged pass the user-supplied VAL
nvd