Description
MajorDoMo (aka Major Domestic Module) allows unauthenticated remote code execution via the admin panel's PHP console feature. An include order bug in modules/panel.class.php causes execution to continue past a redirect() call that lacks an exit statement, allowing unauthenticated requests to reach the ajax handler in inc_panel_ajax.php. The console handler within that file passes user-supplied input from GET parameters (via register_globals) directly to eval() without any authentication check. An attacker can execute arbitrary PHP code by sending a crafted GET request to /admin.php with ajax_panel, op, and command parameters.
Published: 2026-02-18
Score: 9.3 Critical
EPSS: 85.2% High
KEV: No
Impact: Remote Code Execution
Action: Immediate Patch
AI Analysis

Impact

The vulnerability is triggered by the admin panel’s PHP console feature. An include order bug in modules/panel.class.php bypasses a redirect() call that lacks an exit, allowing unauthenticated requests to reach the ajax handler in inc_panel_ajax.php. The console handler in that file passes user-supplied GET parameters directly to eval() without any authentication check, enabling an attacker to execute arbitrary PHP code on the server.

Affected Systems

The affected product is MajorDoMo by sergejey. No specific version information is provided; the flaw applies to any installation that contains the vulnerable modules/panel.class.php and inc_panel_ajax.php.

Risk and Exploitability

With a CVSS score of 9.3 and an EPSS of 85%, the risk of exploitation is high. The exploit requires only unauthenticated HTTP GET requests to a predictable URL (e.g., /admin.php?ajax_panel=1&op=…&command=…) and relies on PHP’s register_globals being enabled and the absence of authentication checks. The vulnerability is not listed in the CISA KEV catalog, but the path to remote code execution is straightforward and has been publicly demonstrated.

Generated by OpenCVE AI on April 22, 2026 at 19:56 UTC.

Remediation

No vendor fix or workaround currently provided.

OpenCVE Recommended Actions

  • Apply the latest patch to MajorDoMo that removes the unsanitized eval usage, as referenced in sergejey/majordomo pull request 1177.
  • Restrict web access to the /admin.php endpoint so that only authenticated users can reach it, for example by implementing HTTP authentication or IP whitelisting and ensuring the application enforces authentication before processing console commands.
  • If a patch is not yet available, disable the console feature by removing or commenting out the ajax_panel handling code in inc_panel_ajax.php, or block the ajax_panel GET parameter so the eval call is unreachable.
  • Additionally, disable register_globals in the PHP environment to prevent accidental global variable injection that could be exploited.

Generated by OpenCVE AI on April 22, 2026 at 19:56 UTC.

Tracking

Sign in to view the affected projects.

Advisories

No advisories yet.

History

Wed, 25 Feb 2026 22:15:00 +0000

Type Values Removed Values Added
Metrics ssvc

{'options': {'Automatable': 'yes', 'Exploitation': 'poc', 'Technical Impact': 'total'}, 'version': '2.0.3'}

Fri, 20 Feb 2026 20:15:00 +0000

Type Values Removed Values Added
First Time appeared Mjdm
Mjdm majordomo
CPEs cpe:2.3:a:mjdm:majordomo:-:*:*:*:*:*:*:*
Vendors & Products Mjdm
Mjdm majordomo

Wed, 18 Feb 2026 21:30:00 +0000

Type Values Removed Values Added
Description MajorDoMo (aka Major Domestic Module) allows unauthenticated remote code execution via the admin panel's PHP console feature. An include order bug in modules/panel.class.php causes execution to continue past a redirect() call that lacks an exit statement, allowing unauthenticated requests to reach the ajax handler in inc_panel_ajax.php. The console handler within that file passes user-supplied input from GET parameters (via register_globals) directly to eval() without any authentication check. An attacker can execute arbitrary PHP code by sending a crafted GET request to /admin.php with ajax_panel, op, and command parameters.
Title MajorDoMo Unauthenticated Remote Code Execution via Admin Console Eval
First Time appeared Sergejey
Sergejey majordomo
Weaknesses CWE-94
CPEs cpe:2.3:a:sergejey:majordomo:*:*:*:*:*:*:*:*
Vendors & Products Sergejey
Sergejey majordomo
References
Metrics cvssV3_1

{'score': 9.8, 'vector': 'CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H'}

cvssV4_0

{'score': 9.3, 'vector': 'CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:N/VC:H/VI:H/VA:H/SC:N/SI:N/SA:N'}

Subscriptions

Mjdm Majordomo
Sergejey Majordomo
cve-icon MITRE

Status: PUBLISHED

Assigner: VulnCheck

Published:

Updated: 2026-03-05T01:31:10.249Z

Reserved: 2026-02-18T15:22:30.052Z

Link: CVE-2026-27174

cve-icon Vulnrichment

Updated: 2026-02-25T18:21:16.924Z

cve-icon NVD

Status : Analyzed

Published: 2026-02-18T22:16:25.080

Modified: 2026-02-20T20:02:36.767

Link: CVE-2026-27174

cve-icon Redhat

No data.

cve-icon OpenCVE Enrichment

Updated: 2026-04-22T20:00:08Z

Weaknesses