Description
MajorDoMo (aka Major Domestic Module) allows unauthenticated arbitrary module uninstallation through the market module. The market module's admin() method reads gr('mode') from $_REQUEST and assigns it to $this->mode at the start of execution, making all mode-gated code paths reachable without authentication via the /objects/?module=market endpoint. The uninstall mode handler calls uninstallPlugin(), which deletes module records from the database, executes the module's uninstall() method via eval(), recursively deletes the module's directory and template files using removeTree(), and removes associated cycle scripts. An attacker can iterate through module names and wipe the entire MajorDoMo installation with a series of unauthenticated GET requests.
Published: 2026-02-18
Score: 8.7 High
EPSS: < 1% Very Low
KEV: No
Impact: Unauthenticated deletion of modules, allowing full removal of application functionality
Action: Apply Vendor Patch
AI Analysis

Impact

MajorDoMo’s market module contains an admin() method that reads a 'mode' parameter from the request and assigns it to a class property without any authentication checks. When this endpoint is accessed via /objects/?module=market, the code path that handles the 'uninstall' mode becomes reachable. The handler calls uninstallPlugin(), which removes database entries for the target module, evaluates the module’s uninstall() method with eval(), recursively deletes the module’s directory and template files, and removes associated cycle scripts. By iterating over existing module names with unauthenticated GET requests, an attacker can delete individual modules or effectively wipe the entire MajorDoMo installation. This missing authorization flaw (CWE‑862) enables arbitrary deletion of application components, resulting in loss of functionality and potential denial of service.

Affected Systems

MajorDoMo (sergejey:MajorDoMo) – all versions are affected; no version constraints are specified.

Risk and Exploitability

The CVSS score of 8.7 reflects the high impact of this flaw. The EPSS score is below 1 %, indicating a low probability of exploitation at the moment, and the vulnerability is not yet listed in the CISA KEV catalog. Nonetheless, the attack vector is straightforward: an unauthenticated attacker sends HTTP GET requests to the /objects/?module=market endpoint, and does not require any other privileges or elevated access. If exploited, the attacker can permanently delete modules or the complete system, making this a significant availability and integrity threat for unattended installations.

Generated by OpenCVE AI on April 16, 2026 at 17:04 UTC.

Remediation

No vendor fix or workaround currently provided.

OpenCVE Recommended Actions

  • Apply the patch supplied in the GitHub pull request (sergejey/majordomo#1177) to fix the market module’s authorization bypass.
  • Restrict access to the /objects/?module=market endpoint so that only authenticated users can reach it—use .htaccess, firewall rules, or platform authentication middleware.
  • Disable or remove the market module from the system if it is not required, thereby eliminating the vulnerable endpoint until the patch can be applied.

Generated by OpenCVE AI on April 16, 2026 at 17:04 UTC.

Tracking

Sign in to view the affected projects.

Advisories

No advisories yet.

History

Fri, 20 Feb 2026 20:00:00 +0000

Type Values Removed Values Added
First Time appeared Mjdm
Mjdm majordomo
CPEs cpe:2.3:a:mjdm:majordomo:-:*:*:*:*:*:*:*
Vendors & Products Mjdm
Mjdm majordomo

Wed, 18 Feb 2026 22:15:00 +0000

Type Values Removed Values Added
Metrics ssvc

{'options': {'Automatable': 'yes', 'Exploitation': 'poc', 'Technical Impact': 'partial'}, 'version': '2.0.3'}

Wed, 18 Feb 2026 21:30:00 +0000

Type Values Removed Values Added
Description MajorDoMo (aka Major Domestic Module) allows unauthenticated arbitrary module uninstallation through the market module. The market module's admin() method reads gr('mode') from $_REQUEST and assigns it to $this->mode at the start of execution, making all mode-gated code paths reachable without authentication via the /objects/?module=market endpoint. The uninstall mode handler calls uninstallPlugin(), which deletes module records from the database, executes the module's uninstall() method via eval(), recursively deletes the module's directory and template files using removeTree(), and removes associated cycle scripts. An attacker can iterate through module names and wipe the entire MajorDoMo installation with a series of unauthenticated GET requests.
Title MajorDoMo Unauthenticated Module Uninstall via Market Endpoint
First Time appeared Sergejey
Sergejey majordomo
Weaknesses CWE-862
CPEs cpe:2.3:a:sergejey:majordomo:*:*:*:*:*:*:*:*
Vendors & Products Sergejey
Sergejey majordomo
References
Metrics cvssV3_1

{'score': 7.5, 'vector': 'CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H'}

cvssV4_0

{'score': 8.7, 'vector': 'CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:N/VC:N/VI:N/VA:H/SC:N/SI:N/SA:N'}

Subscriptions

Mjdm Majordomo
Sergejey Majordomo
cve-icon MITRE

Status: PUBLISHED

Assigner: VulnCheck

Published:

Updated: 2026-03-05T01:31:16.043Z

Reserved: 2026-02-18T15:22:30.054Z

Link: CVE-2026-27181

cve-icon Vulnrichment

Updated: 2026-02-18T21:25:29.876Z

cve-icon NVD

Status : Analyzed

Published: 2026-02-18T22:16:26.337

Modified: 2026-02-20T19:51:48.533

Link: CVE-2026-27181

cve-icon Redhat

No data.

cve-icon OpenCVE Enrichment

Updated: 2026-04-16T17:15:17Z

Weaknesses