Home

Description

MajorDoMo (aka Major Domestic Module) contains an unauthenticated SQL injection vulnerability in the commands module. The commands_search.inc.php file directly interpolates the $_GET['parent'] parameter into multiple SQL queries without sanitization or parameterized queries. The commands module is loadable without authentication via the /objects/?module=commands endpoint, which includes arbitrary modules by name and calls their usual() method. Time-based blind SQL injection is exploitable using UNION SELECT SLEEP() syntax. Because MajorDoMo stores admin passwords as unsalted MD5 hashes in the users table, successful exploitation enables extraction of credentials and subsequent admin panel access.

PUBLISHED Reserved 2026-02-18 | Published 2026-02-18 | Updated 2026-02-20 | Assigner VulnCheck




HIGH: 8.8CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:N/VC:H/VI:L/VA:N/SC:N/SI:N/SA:N
HIGH: 8.2CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:L/A:N

Problem types

Improper Neutralization of Special Elements used in an SQL Command ('SQL Injection')

Product status

Default status
unknown

Any version
affected

Credits

Valentin Lobstein finder

References

chocapikk.com/posts/2026/majordomo-revisited/ (MajorDoMo Revisited: What I Missed in 2023) third-party-advisory

github.com/sergejey/majordomo/pull/1177 (Fix PR: sergejey/majordomo#1177) patch

www.vulncheck.com/...icated-sql-injection-in-commands-module (VulnCheck Advisory: MajorDoMo Unauthenticated SQL Injection in Commands Module) third-party-advisory

cve.org (CVE-2026-27179)

nvd.nist.gov (CVE-2026-27179)

Download JSON