CVE-2026-27175
MajorDoMo Command Injection in rc/index.php via Race Condition
MajorDoMo (aka Major Domestic Module) is vulnerable to unauthenticated OS command injection via rc/index.php. The $param variable from user input is interpolated into a command string within double quotes without sanitization via escapeshellarg(). The command is inserted into a database queue by safe_exec(), which performs no sanitization. The cycle_execs.php script, which is web-accessible without authentication, retrieves queued commands and passes them directly to exec(). An attacker can exploit a race condition by first triggering cycle_execs.php (which purges the queue and enters a polling loop), then injecting a malicious command via the rc endpoint while the worker is polling. The injected shell metacharacters expand inside double quotes, achieving remote code execution within one second.
| CWE | CWE-78 |
| Vendor | sergejey |
| Product | majordomo |
| Published | Feb 18, 2026 |
| Last Updated | Mar 5, 2026 |
Get instant alerts for sergejey majordomo
Be the first to know when new critical vulnerabilities affecting sergejey majordomo are published โ delivered to Slack, Telegram or Discord.
CVSS v3 Breakdown
CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H