CVE-2026-27179
CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:N/VC:H/VI:L/VA:N/SC:N/SI:N/SA:N
Summary
MajorDoMo (aka Major Domestic Module) contains an unauthenticated SQL injection vulnerability in the commands module. The commands_search.inc.php file directly interpolates the $_GET['parent'] parameter into multiple SQL queries without sanitization or parameterized queries. The commands module is loadable without authentication via the /objects/?module=commands endpoint, which includes arbitrary modules by name and calls their usual() method. Time-based blind SQL injection is exploitable using UNION SELECT SLEEP() syntax. Because MajorDoMo stores admin passwords as unsalted MD5 hashes in the users table, successful exploitation enables extraction of credentials and subsequent admin panel access.
Affected Software
| Vendor | Product | Version Range | Status |
|---|---|---|---|
| sergejey | MajorDoMo | 0 <= * | affected |
Weaknesses
- CWE-89: Improper Neutralization of Special Elements used in an SQL Command ('SQL Injection')
ADP Enrichment
CISA ADP Vulnrichment
- SSVC:
- Exploitation: none
- Automatable: yes
- Technical Impact: partial
References
- https://chocapikk.com/posts/2026/majordomo-revisited/
- https://github.com/sergejey/majordomo/pull/1177
- https://www.vulncheck.com/advisories/majordomo-unauthenticated-sql-injection-in-commands-module
Feedback
Was this page helpful?
Glad to hear it! Please tell us how we can improve.
Sorry to hear that. Please tell us how we can improve.