Monitor vulnerabilities like this one.
Sign up free to get alerted when software you use is affected.
9.3
MajorDoMo Admin Panel Allows Unauthenticated Code Execution
Exploitation likelihood: 60%
CVE-2026-27174
Summary
The MajorDoMo admin panel has a security flaw that allows anyone to execute arbitrary code without needing a password. This could allow an attacker to take control of the system. To fix this, update the software to the latest version, which should be available from the vendor.
What to do
No fix is available yet. Check with your software vendor for updates.
Affected software
| Vendor | Product | Affected versions | Fix available |
|---|---|---|---|
| mjdm | majordomo | All versions | – |
Original title
MajorDoMo (aka Major Domestic Module) allows unauthenticated remote code execution via the admin panel's PHP console feature. An include order bug in modules/panel.class.php causes execution to con...
Original description
MajorDoMo (aka Major Domestic Module) allows unauthenticated remote code execution via the admin panel's PHP console feature. An include order bug in modules/panel.class.php causes execution to continue past a redirect() call that lacks an exit statement, allowing unauthenticated requests to reach the ajax handler in inc_panel_ajax.php. The console handler within that file passes user-supplied input from GET parameters (via register_globals) directly to eval() without any authentication check. An attacker can execute arbitrary PHP code by sending a crafted GET request to /admin.php with ajax_panel, op, and command parameters.
nvd CVSS3.1
9.8
nvd CVSS4.0
9.3
Vulnerability type
CWE-94
Code Injection
- https://chocapikk.com/posts/2026/majordomo-revisited/ Third Party Advisory Exploit
- https://github.com/sergejey/majordomo/pull/1177 Issue Tracking Exploit
- https://www.vulncheck.com/advisories/majordomo-unauthenticated-remote-code-execu... Third Party Advisory
Published: 18 Feb 2026 · Updated: 11 Mar 2026 · First seen: 6 Mar 2026