CVE-2026-27175 | THREATINT

Description

MajorDoMo (aka Major Domestic Module) is vulnerable to unauthenticated OS command injection via rc/index.php. The $param variable from user input is interpolated into a command string within double quotes without sanitization via escapeshellarg(). The command is inserted into a database queue by safe_exec(), which performs no sanitization. The cycle_execs.php script, which is web-accessible without authentication, retrieves queued commands and passes them directly to exec(). An attacker can exploit a race condition by first triggering cycle_execs.php (which purges the queue and enters a polling loop), then injecting a malicious command via the rc endpoint while the worker is polling. The injected shell metacharacters expand inside double quotes, achieving remote code execution within one second.

PUBLISHED Reserved 2026-02-18 | Published 2026-02-18 | Updated 2026-02-18 | Assigner VulnCheck

CRITICAL: 9.2CVSS:4.0/AV:N/AC:L/AT:P/PR:N/UI:N/VC:H/VI:H/VA:H/SC:N/SI:N/SA:N

CRITICAL: 9.8CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H

Problem types

Improper Neutralization of Special Elements used in an OS Command ('OS Command Injection')

Product status

Default status

unknown

Any version

affected

Credits

Valentin Lobstein finder

References

chocapikk.com/posts/2026/majordomo-revisited/ (MajorDoMo Revisited: What I Missed in 2023) third-party-advisory

github.com/sergejey/majordomo/pull/1177 (Fix PR: sergejey/majordomo#1177) patch

www.vulncheck.com/...ection-in-rcindexphp-via-race-condition (VulnCheck Advisory: MajorDoMo Command Injection in rc/index.php via Race Condition) third-party-advisory

cve.org (CVE-2026-27175)

nvd.nist.gov (CVE-2026-27175)

Download JSON