Description
MajorDoMo (aka Major Domestic Module) contains an unauthenticated SQL injection vulnerability in the commands module. The commands_search.inc.php file directly interpolates the $_GET['parent'] parameter into multiple SQL queries without sanitization or parameterized queries. The commands module is loadable without authentication via the /objects/?module=commands endpoint, which includes arbitrary modules by name and calls their usual() method. Time-based blind SQL injection is exploitable using UNION SELECT SLEEP() syntax. Because MajorDoMo stores admin passwords as unsalted MD5 hashes in the users table, successful exploitation enables extraction of credentials and subsequent admin panel access.
Published: 2026-02-18
Score: 8.8 High
EPSS: < 1% Very Low
KEV: No
Impact: Unauthorized credential theft via SQL injection
Action: Apply patch
AI Analysis

Impact

MajorDoMo contains an unauthenticated SQL injection flaw in the commands module that allows an attacker to inject malicious SQL code through the $_GET['parent'] parameter. The vulnerability can be exploited with time‑based blind techniques such as UNION SELECT SLEEP(), enabling an attacker to exfiltrate data. Because admin passwords are stored as unsalted MD5 hashes, successful exploitation can reveal privileged credentials and grant full access to the administration panel, potentially compromising all user data and system integrity.

Affected Systems

The affected product is MajorDoMo, a smart‑home platform identified under the sergejey vendor. The flaw resides in the commands module, which is loadable without authentication via the /objects/?module=commands endpoint. No specific version numbers are provided, so any deployment that includes the open commands module is potentially vulnerable.

Risk and Exploitability

The CVSS score of 8.8 classifies this flaw as high severity, while the EPSS score of less than 1% indicates a currently low likelihood of exploitation in the wild. The vulnerability is not listed in CISA’s KEV catalog. Attackers have a clear path: send an unauthenticated HTTP request to the commands endpoint with a crafted "parent" query string, trigger SQL injection, read the MD5 hashes, and use them to log into the admin interface. This path requires no authentication and can be performed remotely from any network where the MajorDoMo instance is reachable.

Generated by OpenCVE AI on April 16, 2026 at 17:05 UTC.

Remediation

No vendor fix or workaround currently provided.

OpenCVE Recommended Actions

  • Update MajorDoMo to the latest release containing the fix referenced in the pull request (e.g., commit 1177).
  • Restrict HTTP access to the /objects endpoint so that only authenticated users or IP ranges can reach it, using firewall rules or web‑application configuration.
  • Change all admin passwords to salted, strong hash schemes (e.g., bcrypt or Argon2) to eliminate the impact of exposed MD5 hashes.

Generated by OpenCVE AI on April 16, 2026 at 17:05 UTC.

Tracking

Sign in to view the affected projects.

Advisories

No advisories yet.

History

Fri, 20 Feb 2026 20:00:00 +0000

Type Values Removed Values Added
First Time appeared Mjdm
Mjdm majordomo
CPEs cpe:2.3:a:mjdm:majordomo:-:*:*:*:*:*:*:*
Vendors & Products Mjdm
Mjdm majordomo

Fri, 20 Feb 2026 19:15:00 +0000

Type Values Removed Values Added
Metrics ssvc

{'options': {'Automatable': 'yes', 'Exploitation': 'none', 'Technical Impact': 'partial'}, 'version': '2.0.3'}

Wed, 18 Feb 2026 21:30:00 +0000

Type Values Removed Values Added
Description MajorDoMo (aka Major Domestic Module) contains an unauthenticated SQL injection vulnerability in the commands module. The commands_search.inc.php file directly interpolates the $_GET['parent'] parameter into multiple SQL queries without sanitization or parameterized queries. The commands module is loadable without authentication via the /objects/?module=commands endpoint, which includes arbitrary modules by name and calls their usual() method. Time-based blind SQL injection is exploitable using UNION SELECT SLEEP() syntax. Because MajorDoMo stores admin passwords as unsalted MD5 hashes in the users table, successful exploitation enables extraction of credentials and subsequent admin panel access.
Title MajorDoMo Unauthenticated SQL Injection in Commands Module
First Time appeared Sergejey
Sergejey majordomo
Weaknesses CWE-89
CPEs cpe:2.3:a:sergejey:majordomo:*:*:*:*:*:*:*:*
Vendors & Products Sergejey
Sergejey majordomo
References
Metrics cvssV3_1

{'score': 8.2, 'vector': 'CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:L/A:N'}

cvssV4_0

{'score': 8.8, 'vector': 'CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:N/VC:H/VI:L/VA:N/SC:N/SI:N/SA:N'}

Subscriptions

Mjdm Majordomo
Sergejey Majordomo
cve-icon MITRE

Status: PUBLISHED

Assigner: VulnCheck

Published:

Updated: 2026-03-05T01:31:14.335Z

Reserved: 2026-02-18T15:22:30.053Z

Link: CVE-2026-27179

cve-icon Vulnrichment

Updated: 2026-02-20T19:01:21.372Z

cve-icon NVD

Status : Analyzed

Published: 2026-02-18T22:16:25.967

Modified: 2026-02-20T19:56:55.863

Link: CVE-2026-27179

cve-icon Redhat

No data.

cve-icon OpenCVE Enrichment

Updated: 2026-04-16T17:15:17Z

Weaknesses