CVE-2026-27179CRITICAL 9.8EPSS p36.8%

CVE-2026-27179CVE-2026-27179

Description

MajorDoMo (aka Major Domestic Module) contains an unauthenticated SQL injection vulnerability in the commands module. The commands_search.inc.php file directly interpolates the $_GET['parent'] parameter into multiple SQL queries without sanitization or parameterized queries. The commands module is loadable without authentication via the /objects/?module=commands endpoint, which includes arbitrary modules by name and calls their usual() method. Time-based blind SQL injection is exploitable using UNION SELECT SLEEP() syntax. Because MajorDoMo stores admin passwords as unsalted MD5 hashes in the users table, successful exploitation enables extraction of credentials and subsequent admin panel access.

Scoring

CVSS 3.19.8 (CRITICAL)
VectorCVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H
EPSS0.47% probability of exploitation · percentile 36.8% · 2026-06-18T12:00:27Z
Published2026-02-18
Last modified2026-02-20

Underlying weaknesses· 1

CWE-89

References

  1. https://chocapikk.com/posts/2026/majordomo-revisited/
  2. https://github.com/sergejey/majordomo/pull/1177
  3. https://www.vulncheck.com/advisories/majordomo-unauthenticated-sql-injection-in-commands-module

1

TypeTargetConfidenceTier
WeaknessImproper Neutralization of Special Elements used in an SQL Command ('SQL Injection')cwe-890%live

Related by meaning· 6

Nearest entities by semantic similarity across the cs-graph corpus.

CVE
CVE-2026-27174
CVE
CVE-2026-27175
CVE
CVE-2026-27180
CVE
CVE-2026-39109
CVE
CVE-2025-22974
CVE
CVE-2025-8936
Sourced from NVD + FIRST.org EPSS. Curated for EU compliance use cases by Adam Lundqvist, Founder at SQUR.