Description
MajorDoMo (aka Major Domestic Module) is vulnerable to unauthenticated remote code execution through supply chain compromise via update URL poisoning. The saverestore module exposes its admin() method through the /objects/?module=saverestore endpoint without authentication because it uses gr('mode') (which reads directly from $_REQUEST) instead of the framework's $this->mode. An attacker can poison the system update URL via the auto_update_settings mode handler, then trigger the force_update handler to initiate the update chain. The autoUpdateSystem() method fetches an Atom feed from the attacker-controlled URL with trivial validation, downloads a tarball via curl with TLS verification disabled (CURLOPT_SSL_VERIFYPEER set to FALSE), extracts it using exec('tar xzvf ...'), and copies all extracted files to the document root using copyTree(). This allows an attacker to deploy arbitrary PHP files, including webshells, to the webroot with two GET requests.
Published: 2026-02-18
Score: 9.3 Critical
EPSS: 48.8% Moderate
KEV: No
Impact: Remote Code Execution
Action: Immediate Patch
AI Analysis

Impact

MajorDoMo is vulnerable to unauthenticated remote code execution in the saverestore module, which exposes an admin() method without authentication. The flaw is a classic example of CWE-494, where the system downloads content from an untrusted source. By poisoning the auto_update_settings URL, an attacker can cause the system to fetch an Atom feed from an attacker-controlled location with TLS verification disabled, download a tarball, execute it via exec(), and copy its contents to the web root. This sequence requires only two unauthenticated GET requests, allowing the attacker to place arbitrary PHP files, including web shells, into the document root.

Affected Systems

The affected vendor is sergejey:MajorDoMo. All releases of MajorDoMo that include the saverestore module and auto_update functionality are vulnerable; the CVE entry does not list specific version numbers, so any publicly available release without an applied patch or configuration change remains at risk.

Risk and Exploitability

The base CVSS score of 9.3 indicates critical severity. An EPSS score of 48% reflects a high likelihood of exploitation. The vulnerability is not listed in CISA’s KEV catalog but remains a priority because it can be triggered remotely without authentication or privileged access. The supply‑chain nature of the flaw means that any system relying on automatic updates is directly exposed, making exploitation especially straightforward.

Generated by OpenCVE AI on April 18, 2026 at 11:55 UTC.

Remediation

No vendor fix or workaround currently provided.

OpenCVE Recommended Actions

  • Apply the latest MajorDoMo update that removes unauthenticated access to the auto_update_settings handler and enforces strict SSL verification for feed URLs (see PR 1177 and the subsequent release notes).
  • If upgrading is not immediately possible, disable the auto_update feature in the configuration (set the auto_update flag to false) or delete the auto_update_settings mode to eliminate the attack surface.
  • Configure a network firewall or application layer filter to block requests to /objects/?module=saverestore and any endpoints associated with update operations, while ensuring that any remaining update URLs point only to TLS‑verified, trusted sources.

Generated by OpenCVE AI on April 18, 2026 at 11:55 UTC.

Tracking

Sign in to view the affected projects.

Advisories

No advisories yet.

History

Fri, 20 Feb 2026 20:00:00 +0000

Type Values Removed Values Added
First Time appeared Mjdm
Mjdm majordomo
CPEs cpe:2.3:a:mjdm:majordomo:-:*:*:*:*:*:*:*
Vendors & Products Mjdm
Mjdm majordomo

Fri, 20 Feb 2026 19:15:00 +0000

Type Values Removed Values Added
Metrics ssvc

{'options': {'Automatable': 'yes', 'Exploitation': 'none', 'Technical Impact': 'total'}, 'version': '2.0.3'}

Wed, 18 Feb 2026 21:30:00 +0000

Type Values Removed Values Added
Description MajorDoMo (aka Major Domestic Module) is vulnerable to unauthenticated remote code execution through supply chain compromise via update URL poisoning. The saverestore module exposes its admin() method through the /objects/?module=saverestore endpoint without authentication because it uses gr('mode') (which reads directly from $_REQUEST) instead of the framework's $this->mode. An attacker can poison the system update URL via the auto_update_settings mode handler, then trigger the force_update handler to initiate the update chain. The autoUpdateSystem() method fetches an Atom feed from the attacker-controlled URL with trivial validation, downloads a tarball via curl with TLS verification disabled (CURLOPT_SSL_VERIFYPEER set to FALSE), extracts it using exec('tar xzvf ...'), and copies all extracted files to the document root using copyTree(). This allows an attacker to deploy arbitrary PHP files, including webshells, to the webroot with two GET requests.
Title MajorDoMo Supply Chain Remote Code Execution via Update URL Poisoning
First Time appeared Sergejey
Sergejey majordomo
Weaknesses CWE-494
CPEs cpe:2.3:a:sergejey:majordomo:*:*:*:*:*:*:*:*
Vendors & Products Sergejey
Sergejey majordomo
References
Metrics cvssV3_1

{'score': 9.8, 'vector': 'CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H'}

cvssV4_0

{'score': 9.3, 'vector': 'CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:N/VC:H/VI:H/VA:H/SC:N/SI:N/SA:N'}

Subscriptions

Mjdm Majordomo
Sergejey Majordomo
cve-icon MITRE

Status: PUBLISHED

Assigner: VulnCheck

Published:

Updated: 2026-03-05T01:31:15.274Z

Reserved: 2026-02-18T15:22:30.053Z

Link: CVE-2026-27180

cve-icon Vulnrichment

Updated: 2026-02-20T18:58:21.124Z

cve-icon NVD

Status : Analyzed

Published: 2026-02-18T22:16:26.153

Modified: 2026-02-20T19:51:21.530

Link: CVE-2026-27180

cve-icon Redhat

No data.

cve-icon OpenCVE Enrichment

Updated: 2026-04-18T12:00:05Z

Weaknesses