CVE-2026-27180CRITICAL 9.8EPSS p60.9%

CVE-2026-27180CVE-2026-27180

Description

MajorDoMo (aka Major Domestic Module) is vulnerable to unauthenticated remote code execution through supply chain compromise via update URL poisoning. The saverestore module exposes its admin() method through the /objects/?module=saverestore endpoint without authentication because it uses gr('mode') (which reads directly from $_REQUEST) instead of the framework's $this->mode. An attacker can poison the system update URL via the auto_update_settings mode handler, then trigger the force_update handler to initiate the update chain. The autoUpdateSystem() method fetches an Atom feed from the attacker-controlled URL with trivial validation, downloads a tarball via curl with TLS verification disabled (CURLOPT_SSL_VERIFYPEER set to FALSE), extracts it using exec('tar xzvf ...'), and copies all extracted files to the document root using copyTree(). This allows an attacker to deploy arbitrary PHP files, including webshells, to the webroot with two GET requests.

Scoring

CVSS 3.19.8 (CRITICAL)
VectorCVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H
EPSS1.09% probability of exploitation · percentile 60.9% · 2026-06-18T12:00:27Z
Published2026-02-18
Last modified2026-02-20

Underlying weaknesses· 1

CWE-494

References

  1. https://chocapikk.com/posts/2026/majordomo-revisited/
  2. https://github.com/sergejey/majordomo/pull/1177
  3. https://www.vulncheck.com/advisories/majordomo-supply-chain-remote-code-execution-via-update-url-poisoning

1

TypeTargetConfidenceTier
WeaknessDownload of Code Without Integrity Checkcwe-4940%live

Related by meaning· 6

Nearest entities by semantic similarity across the cs-graph corpus.

CVE
CVE-2026-27174
CVE
CVE-2026-27175
CVE
CVE-2026-27179
CVE
CVE-2026-31019
CVE
CVE-2026-21628
CVE
CVE-2026-11619
Sourced from NVD + FIRST.org EPSS. Curated for EU compliance use cases by Adam Lundqvist, Founder at SQUR.