CVE 8.8 HIGH

MajorDoMo Unauthenticated SQL Injection in Commands Module_CVE-2026-27179

February 18, 2026 invoker category_cve
8.8 / 10
HIGH
CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:N/VC:H/VI:L/VA:N/SC:N/SI:N/SA:N

Description

MajorDoMo (aka Major Domestic Module) contains an unauthenticated SQL injection vulnerability in the commands module. The commands_search.inc.php file directly interpolates the $_GET['parent'] parameter into multiple SQL queries without sanitization or parameterized queries. The commands module is loadable without authentication via the /objects/?module=commands endpoint, which includes arbitrary modules by name and calls their usual() method. Time-based blind SQL injection is exploitable using UNION SELECT SLEEP() syntax. Because MajorDoMo stores admin passwords as unsalted MD5 hashes in the users table, successful exploitation enables extraction of credentials and subsequent admin panel access.

AI Analysis

Unauthenticated SQL injection vulnerability in the commands module of MajorDoMo, allowing for extraction of admin credentials and access to the admin panel.

Basic Information

ID CVE-2026-27179
Source VulnCheck
Published Feb 18, 2026 at 21:10

Affected Product

Vendor sergejey
Product MajorDoMo
Affected Versions sergejey MajorDoMo 0

CWE Classification

CWE-89

AI Assessment

AI Score 8.8 / 10
AI Severity High
Vendor sergejey
Product MajorDoMo

References

💭 Join the Security Discussion

🔒 Your email address will not be published. Required fields are marked *

⚠️ Please be respectful and constructive in your comments. Security discussions should remain professional.