{"dataType": "CVE_RECORD", "dataVersion": "5.2", "cveMetadata": {"cveId": "CVE-2026-27174", "assignerOrgId": "83251b91-4cc7-4094-a5c7-464a1b83ea10", "state": "PUBLISHED", "assignerShortName": "VulnCheck", "dateReserved": "2026-02-18T15:22:30.052Z", "datePublished": "2026-02-18T21:10:36.113Z", "dateUpdated": "2026-03-05T01:31:10.249Z"}, "containers": {"cna": {"providerMetadata": {"orgId": "83251b91-4cc7-4094-a5c7-464a1b83ea10", "shortName": "VulnCheck", "dateUpdated": "2026-03-05T01:31:10.249Z"}, "datePublic": "2026-02-17T00:00:00.000Z", "title": "MajorDoMo Unauthenticated Remote Code Execution via Admin Console Eval", "descriptions": [{"lang": "en", "value": "MajorDoMo (aka Major Domestic Module) allows unauthenticated remote code execution via the admin panel's PHP console feature. An include order bug in modules/panel.class.php causes execution to continue past a redirect() call that lacks an exit statement, allowing unauthenticated requests to reach the ajax handler in inc_panel_ajax.php. The console handler within that file passes user-supplied input from GET parameters (via register_globals) directly to eval() without any authentication check. An attacker can execute arbitrary PHP code by sending a crafted GET request to /admin.php with ajax_panel, op, and command parameters."}], "problemTypes": [{"descriptions": [{"lang": "en", "description": "Improper Control of Generation of Code ('Code Injection')", "cweId": "CWE-94", "type": "CWE"}]}], "affected": [{"vendor": "sergejey", "product": "MajorDoMo", "versions": [{"version": "0", "lessThanOrEqual": "*", "status": "affected", "versionType": "custom"}], "defaultStatus": "unknown"}], "cpeApplicability": [{"operator": "OR", "nodes": [{"operator": "OR", "negate": false, "cpeMatch": [{"vulnerable": true, "criteria": "cpe:2.3:a:sergejey:majordomo:*:*:*:*:*:*:*:*"}]}]}], "metrics": [{"cvssV4_0": {"Automatable": "NOT_DEFINED", "Recovery": "NOT_DEFINED", "Safety": "NOT_DEFINED", "attackComplexity": "LOW", "attackRequirements": "NONE", "attackVector": "NETWORK", "baseScore": 9.3, "baseSeverity": "CRITICAL", "exploitMaturity": "NOT_DEFINED", "privilegesRequired": "NONE", "providerUrgency": "NOT_DEFINED", "subAvailabilityImpact": "NONE", "subConfidentialityImpact": "NONE", "subIntegrityImpact": "NONE", "userInteraction": "NONE", "valueDensity": "NOT_DEFINED", "vectorString": "CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:N/VC:H/VI:H/VA:H/SC:N/SI:N/SA:N", "version": "4.0", "vulnAvailabilityImpact": "HIGH", "vulnConfidentialityImpact": "HIGH", "vulnIntegrityImpact": "HIGH", "vulnerabilityResponseEffort": "NOT_DEFINED"}, "format": "CVSS"}, {"cvssV3_1": {"attackComplexity": "LOW", "attackVector": "NETWORK", "availabilityImpact": "HIGH", "baseScore": 9.8, "baseSeverity": "CRITICAL", "confidentialityImpact": "HIGH", "integrityImpact": "HIGH", "privilegesRequired": "NONE", "scope": "UNCHANGED", "userInteraction": "NONE", "vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H", "version": "3.1"}, "format": "CVSS"}], "references": [{"url": "https://chocapikk.com/posts/2026/majordomo-revisited/", "name": "MajorDoMo Revisited: What I Missed in 2023", "tags": ["third-party-advisory"]}, {"url": "https://github.com/sergejey/majordomo/pull/1177", "name": "Fix PR: sergejey/majordomo#1177", "tags": ["patch"]}, {"name": "VulnCheck Advisory: MajorDoMo Unauthenticated Remote Code Execution via Admin Console Eval", "tags": ["third-party-advisory"], "url": "https://www.vulncheck.com/advisories/majordomo-unauthenticated-remote-code-execution-via-admin-console-eval"}], "credits": [{"lang": "en", "value": "Valentin Lobstein", "type": "finder"}], "x_generator": {"engine": "vulncheck"}}, "adp": [{"metrics": [{"other": {"type": "ssvc", "content": {"timestamp": "2026-02-25T18:21:10.869875Z", "id": "CVE-2026-27174", "options": [{"Exploitation": "poc"}, {"Automatable": "yes"}, {"Technical Impact": "total"}], "role": "CISA Coordinator", "version": "2.0.3"}}}], "title": "CISA ADP Vulnrichment", "providerMetadata": {"orgId": "134c704f-9b21-4f2e-91b3-4a467353bcc0", "shortName": "CISA-ADP", "dateUpdated": "2026-02-25T18:21:24.197Z"}}]}}

{"dataType": "CVE_RECORD", "containers": {"adp": [{"title": "CISA ADP Vulnrichment", "metrics": [{"other": {"type": "ssvc", "content": {"id": "CVE-2026-27174", "role": "CISA Coordinator", "options": [{"Exploitation": "poc"}, {"Automatable": "yes"}, {"Technical Impact": "total"}], "version": "2.0.3", "timestamp": "2026-02-25T18:21:10.869875Z"}}}], "providerMetadata": {"orgId": "134c704f-9b21-4f2e-91b3-4a467353bcc0", "shortName": "CISA-ADP", "dateUpdated": "2026-02-25T18:21:16.924Z"}}], "cna": {"title": "MajorDoMo Unauthenticated Remote Code Execution via Admin Console Eval", "credits": [{"lang": "en", "type": "finder", "value": "Valentin Lobstein"}], "metrics": [{"format": "CVSS", "cvssV4_0": {"Safety": "NOT_DEFINED", "version": "4.0", "Recovery": "NOT_DEFINED", "baseScore": 9.3, "Automatable": "NOT_DEFINED", "attackVector": "NETWORK", "baseSeverity": "CRITICAL", "valueDensity": "NOT_DEFINED", "vectorString": "CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:N/VC:H/VI:H/VA:H/SC:N/SI:N/SA:N", "exploitMaturity": "NOT_DEFINED", "providerUrgency": "NOT_DEFINED", "userInteraction": "NONE", "attackComplexity": "LOW", "attackRequirements": "NONE", "privilegesRequired": "NONE", "subIntegrityImpact": "NONE", "vulnIntegrityImpact": "HIGH", "subAvailabilityImpact": "NONE", "vulnAvailabilityImpact": "HIGH", "subConfidentialityImpact": "NONE", "vulnConfidentialityImpact": "HIGH", "vulnerabilityResponseEffort": "NOT_DEFINED"}}, {"format": "CVSS", "cvssV3_1": {"scope": "UNCHANGED", "version": "3.1", "baseScore": 9.8, "attackVector": "NETWORK", "baseSeverity": "CRITICAL", "vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H", "integrityImpact": "HIGH", "userInteraction": "NONE", "attackComplexity": "LOW", "availabilityImpact": "HIGH", "privilegesRequired": "NONE", "confidentialityImpact": "HIGH"}}], "affected": [{"vendor": "sergejey", "product": "MajorDoMo", "versions": [{"status": "affected", "version": "0", "versionType": "custom", "lessThanOrEqual": "*"}], "defaultStatus": "unknown"}], "datePublic": "2026-02-17T00:00:00.000Z", "references": [{"url": "https://chocapikk.com/posts/2026/majordomo-revisited/", "name": "MajorDoMo Revisited: What I Missed in 2023", "tags": ["third-party-advisory"]}, {"url": "https://github.com/sergejey/majordomo/pull/1177", "name": "Fix PR: sergejey/majordomo#1177", "tags": ["patch"]}, {"url": "https://www.vulncheck.com/advisories/majordomo-unauthenticated-remote-code-execution-via-admin-console-eval", "name": "VulnCheck Advisory: MajorDoMo Unauthenticated Remote Code Execution via Admin Console Eval", "tags": ["third-party-advisory"]}], "x_generator": {"engine": "vulncheck"}, "descriptions": [{"lang": "en", "value": "MajorDoMo (aka Major Domestic Module) allows unauthenticated remote code execution via the admin panel's PHP console feature. An include order bug in modules/panel.class.php causes execution to continue past a redirect() call that lacks an exit statement, allowing unauthenticated requests to reach the ajax handler in inc_panel_ajax.php. The console handler within that file passes user-supplied input from GET parameters (via register_globals) directly to eval() without any authentication check. An attacker can execute arbitrary PHP code by sending a crafted GET request to /admin.php with ajax_panel, op, and command parameters."}], "problemTypes": [{"descriptions": [{"lang": "en", "type": "CWE", "cweId": "CWE-94", "description": "Improper Control of Generation of Code ('Code Injection')"}]}], "cpeApplicability": [{"nodes": [{"negate": false, "cpeMatch": [{"criteria": "cpe:2.3:a:sergejey:majordomo:*:*:*:*:*:*:*:*", "vulnerable": true}], "operator": "OR"}], "operator": "OR"}], "providerMetadata": {"orgId": "83251b91-4cc7-4094-a5c7-464a1b83ea10", "shortName": "VulnCheck", "dateUpdated": "2026-02-18T21:10:36.113Z"}}}, "cveMetadata": {"cveId": "CVE-2026-27174", "state": "PUBLISHED", "dateUpdated": "2026-02-25T18:21:24.197Z", "dateReserved": "2026-02-18T15:22:30.052Z", "assignerOrgId": "83251b91-4cc7-4094-a5c7-464a1b83ea10", "datePublished": "2026-02-18T21:10:36.113Z", "assignerShortName": "VulnCheck"}, "dataVersion": "5.2"}

{"configurations": [{"nodes": [{"cpeMatch": [{"criteria": "cpe:2.3:a:mjdm:majordomo:-:*:*:*:*:*:*:*", "matchCriteriaId": "7008978E-8DE1-4811-958F-3AFB3847B919", "vulnerable": true}], "negate": false, "operator": "OR"}]}], "cveTags": [], "descriptions": [{"lang": "en", "value": "MajorDoMo (aka Major Domestic Module) allows unauthenticated remote code execution via the admin panel's PHP console feature. An include order bug in modules/panel.class.php causes execution to continue past a redirect() call that lacks an exit statement, allowing unauthenticated requests to reach the ajax handler in inc_panel_ajax.php. The console handler within that file passes user-supplied input from GET parameters (via register_globals) directly to eval() without any authentication check. An attacker can execute arbitrary PHP code by sending a crafted GET request to /admin.php with ajax_panel, op, and command parameters."}, {"lang": "es", "value": "MajorDoMo (tambi\u00e9n conocido como Major Domestic Module) permite la ejecuci\u00f3n remota de c\u00f3digo no autenticada a trav\u00e9s de la funci\u00f3n de consola PHP del panel de administraci\u00f3n. Un error de orden de inclusi\u00f3n en modules/panel.class.php provoca que la ejecuci\u00f3n contin\u00fae m\u00e1s all\u00e1 de una llamada a redirect() que carece de una declaraci\u00f3n exit, permitiendo que las solicitudes no autenticadas lleguen al manejador ajax en inc_panel_ajax.php. El manejador de consola dentro de ese archivo pasa la entrada proporcionada por el usuario desde los par\u00e1metros GET (a trav\u00e9s de register_globals) directamente a eval() sin ninguna verificaci\u00f3n de autenticaci\u00f3n. Un atacante puede ejecutar c\u00f3digo PHP arbitrario enviando una solicitud GET manipulada a /admin.php con los par\u00e1metros ajax_panel, op y command."}], "id": "CVE-2026-27174", "lastModified": "2026-02-20T20:02:36.767", "metrics": {"cvssMetricV31": [{"cvssData": {"attackComplexity": "LOW", "attackVector": "NETWORK", "availabilityImpact": "HIGH", "baseScore": 9.8, "baseSeverity": "CRITICAL", "confidentialityImpact": "HIGH", "integrityImpact": "HIGH", "privilegesRequired": "NONE", "scope": "UNCHANGED", "userInteraction": "NONE", "vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H", "version": "3.1"}, "exploitabilityScore": 3.9, "impactScore": 5.9, "source": "disclosure@vulncheck.com", "type": "Primary"}], "cvssMetricV40": [{"cvssData": {"Automatable": "NOT_DEFINED", "Recovery": "NOT_DEFINED", "Safety": "NOT_DEFINED", "attackComplexity": "LOW", "attackRequirements": "NONE", "attackVector": "NETWORK", "availabilityRequirement": "NOT_DEFINED", "baseScore": 9.3, "baseSeverity": "CRITICAL", "confidentialityRequirement": "NOT_DEFINED", "exploitMaturity": "NOT_DEFINED", "integrityRequirement": "NOT_DEFINED", "modifiedAttackComplexity": "NOT_DEFINED", "modifiedAttackRequirements": "NOT_DEFINED", "modifiedAttackVector": "NOT_DEFINED", "modifiedPrivilegesRequired": "NOT_DEFINED", "modifiedSubAvailabilityImpact": "NOT_DEFINED", "modifiedSubConfidentialityImpact": "NOT_DEFINED", "modifiedSubIntegrityImpact": "NOT_DEFINED", "modifiedUserInteraction": "NOT_DEFINED", "modifiedVulnAvailabilityImpact": "NOT_DEFINED", "modifiedVulnConfidentialityImpact": "NOT_DEFINED", "modifiedVulnIntegrityImpact": "NOT_DEFINED", "privilegesRequired": "NONE", "providerUrgency": "NOT_DEFINED", "subAvailabilityImpact": "NONE", "subConfidentialityImpact": "NONE", "subIntegrityImpact": "NONE", "userInteraction": "NONE", "valueDensity": "NOT_DEFINED", "vectorString": "CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:N/VC:H/VI:H/VA:H/SC:N/SI:N/SA:N/E:X/CR:X/IR:X/AR:X/MAV:X/MAC:X/MAT:X/MPR:X/MUI:X/MVC:X/MVI:X/MVA:X/MSC:X/MSI:X/MSA:X/S:X/AU:X/R:X/V:X/RE:X/U:X", "version": "4.0", "vulnAvailabilityImpact": "HIGH", "vulnConfidentialityImpact": "HIGH", "vulnIntegrityImpact": "HIGH", "vulnerabilityResponseEffort": "NOT_DEFINED"}, "source": "disclosure@vulncheck.com", "type": "Secondary"}]}, "published": "2026-02-18T22:16:25.080", "references": [{"source": "disclosure@vulncheck.com", "tags": ["Third Party Advisory", "Exploit"], "url": "https://chocapikk.com/posts/2026/majordomo-revisited/"}, {"source": "disclosure@vulncheck.com", "tags": ["Issue Tracking", "Exploit"], "url": "https://github.com/sergejey/majordomo/pull/1177"}, {"source": "disclosure@vulncheck.com", "tags": ["Third Party Advisory"], "url": "https://www.vulncheck.com/advisories/majordomo-unauthenticated-remote-code-execution-via-admin-console-eval"}], "sourceIdentifier": "disclosure@vulncheck.com", "vulnStatus": "Analyzed", "weaknesses": [{"description": [{"lang": "en", "value": "CWE-94"}], "source": "disclosure@vulncheck.com", "type": "Primary"}]}

{}

{"affected": [{"configurations": [{"platform": null, "status": "affected", "versions": {"scheme": "generic", "value": "[0,*]"}}], "enrichment": {"confidence": 100.0, "confidence_source": "cna", "scores": [{"score": 100.0, "source": "cna"}]}, "original": {"product": "MajorDoMo", "source": "cna", "vendor": "sergejey"}, "product": "majordomo", "vendor": "sergejey"}], "analysis": {"en": {"generated_at": "2026-04-22T19:56:35.486747+00:00", "value": {"mitigation_remediation": ["Apply the latest patch to MajorDoMo that removes the unsanitized eval usage, as referenced in sergejey/majordomo pull request 1177.", "Restrict web access to the /admin.php endpoint so that only authenticated users can reach it, for example by implementing HTTP authentication or IP whitelisting and ensuring the application enforces authentication before processing console commands.", "If a patch is not yet available, disable the console feature by removing or commenting out the ajax_panel handling code in inc_panel_ajax.php, or block the ajax_panel GET parameter so the eval call is unreachable.", "Additionally, disable register_globals in the PHP environment to prevent accidental global variable injection that could be exploited."], "summary": {"action": "Immediate Patch", "impact": "Remote Code Execution"}, "threat_synthesis": {"affected_systems": "The affected product is MajorDoMo by sergejey. No specific version information is provided; the flaw applies to any installation that contains the vulnerable modules/panel.class.php and inc_panel_ajax.php.", "description_and_impact": "The vulnerability is triggered by the admin panel\u2019s PHP console feature. An include order bug in modules/panel.class.php bypasses a redirect() call that lacks an exit, allowing unauthenticated requests to reach the ajax handler in inc_panel_ajax.php. The console handler in that file passes user-supplied GET parameters directly to eval() without any authentication check, enabling an attacker to execute arbitrary PHP code on the server.", "risk_and_exploitability": "With a CVSS score of 9.3 and an EPSS of 85%, the risk of exploitation is high. The exploit requires only unauthenticated HTTP GET requests to a predictable URL (e.g., /admin.php?ajax_panel=1&op=\u2026&command=\u2026) and relies on PHP\u2019s register_globals being enabled and the absence of authentication checks. The vulnerability is not listed in the CISA KEV catalog, but the path to remote code execution is straightforward and has been publicly demonstrated."}}}}, "created": "2026-02-19T10:11:05.555254+00:00", "updated": "2026-04-22T20:00:08.854730+00:00", "vendors": ["sergejey", "sergejey$PRODUCT$majordomo"]}