Description
MajorDoMo (aka Major Domestic Module) is vulnerable to unauthenticated OS command injection via rc/index.php. The $param variable from user input is interpolated into a command string within double quotes without sanitization via escapeshellarg(). The command is inserted into a database queue by safe_exec(), which performs no sanitization. The cycle_execs.php script, which is web-accessible without authentication, retrieves queued commands and passes them directly to exec(). An attacker can exploit a race condition by first triggering cycle_execs.php (which purges the queue and enters a polling loop), then injecting a malicious command via the rc endpoint while the worker is polling. The injected shell metacharacters expand inside double quotes, achieving remote code execution within one second.
Published: 2026-02-18
Score: 9.2 Critical
EPSS: 25.5% Moderate
KEV: No
Impact: Remote Code Execution
Action: Immediate Patch
AI Analysis

Impact

The vulnerability allows an unauthenticated attacker to inject operating‑system commands through the rc/index.php endpoint. User supplied data is interpolated into a shell command string inside double quotes without escaping, and the command is subsequently executed by the cycle_execs.php script. This race condition enables the attacker to trigger arbitrary code execution on the host in less than one second. The weakness involved is command injection (CWE‑78), which compromises confidentiality, integrity, and availability of the affected system.

Affected Systems

Affected systems are installations of MajorDoMo maintained by sergejey. No explicit version range is listed, so all releases that contain the vulnerable implementation of rc/index.php and cycle_execs.php are potentially affected.

Risk and Exploitability

The CVSS score of 9.2 indicates critical severity; the EPSS score of 25% reflects a moderate probability of exploitation in the near term, and the vulnerability is not yet catalogued in the CISA KEV list. The attack vector is network-based, requiring only HTTP access to the web interface; authentication is not required. Exploitation is performed by first invoking cycle_execs.php to start the command queue, then immediately sending the malicious input to rc/index.php so that the queued command is executed during the polling loop. The ability to run arbitrary commands in the context of the web server indicates a full remote code execution scenario.

Generated by OpenCVE AI on April 16, 2026 at 17:06 UTC.

Remediation

No vendor fix or workaround currently provided.

OpenCVE Recommended Actions

  • Update to the patched release that removes the unsafe command injection path (apply the merge in PR #1177).
  • Disable or restrict access to cycle_execs.php so that only authenticated users or no users can invoke it, or remove the script entirely if it is not required.
  • If an immediate patch cannot be applied, sanitize or escape $param (for example, by using escapeshellarg) before interpolating it into the command string.

Generated by OpenCVE AI on April 16, 2026 at 17:06 UTC.

Tracking

Sign in to view the affected projects.

Advisories

No advisories yet.

History

Fri, 27 Feb 2026 16:15:00 +0000

Type Values Removed Values Added
Metrics ssvc

{'options': {'Automatable': 'yes', 'Exploitation': 'poc', 'Technical Impact': 'total'}, 'version': '2.0.3'}

Fri, 20 Feb 2026 20:15:00 +0000

Type Values Removed Values Added
First Time appeared Mjdm
Mjdm majordomo
CPEs cpe:2.3:a:mjdm:majordomo:-:*:*:*:*:*:*:*
Vendors & Products Mjdm
Mjdm majordomo

Wed, 18 Feb 2026 21:30:00 +0000

Type Values Removed Values Added
Description MajorDoMo (aka Major Domestic Module) is vulnerable to unauthenticated OS command injection via rc/index.php. The $param variable from user input is interpolated into a command string within double quotes without sanitization via escapeshellarg(). The command is inserted into a database queue by safe_exec(), which performs no sanitization. The cycle_execs.php script, which is web-accessible without authentication, retrieves queued commands and passes them directly to exec(). An attacker can exploit a race condition by first triggering cycle_execs.php (which purges the queue and enters a polling loop), then injecting a malicious command via the rc endpoint while the worker is polling. The injected shell metacharacters expand inside double quotes, achieving remote code execution within one second.
Title MajorDoMo Command Injection in rc/index.php via Race Condition
First Time appeared Sergejey
Sergejey majordomo
Weaknesses CWE-78
CPEs cpe:2.3:a:sergejey:majordomo:*:*:*:*:*:*:*:*
Vendors & Products Sergejey
Sergejey majordomo
References
Metrics cvssV3_1

{'score': 9.8, 'vector': 'CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H'}

cvssV4_0

{'score': 9.2, 'vector': 'CVSS:4.0/AV:N/AC:L/AT:P/PR:N/UI:N/VC:H/VI:H/VA:H/SC:N/SI:N/SA:N'}

Subscriptions

Mjdm Majordomo
Sergejey Majordomo
cve-icon MITRE

Status: PUBLISHED

Assigner: VulnCheck

Published:

Updated: 2026-03-05T01:31:11.056Z

Reserved: 2026-02-18T15:22:30.053Z

Link: CVE-2026-27175

cve-icon Vulnrichment

Updated: 2026-02-26T16:20:15.545Z

cve-icon NVD

Status : Analyzed

Published: 2026-02-18T22:16:25.263

Modified: 2026-02-20T20:02:13.103

Link: CVE-2026-27175

cve-icon Redhat

No data.

cve-icon OpenCVE Enrichment

Updated: 2026-04-16T17:15:17Z

Weaknesses