Monitor vulnerabilities like this one. Sign up free to get alerted when software you use is affected.
8.8

MajorDoMo allows attackers to steal admin passwords

CVE-2026-27179
Summary

An attacker can exploit this vulnerability to extract MajorDoMo admin passwords and gain unauthorized access to the admin panel. The vulnerability is caused by poor coding practices in the commands_search.inc.php file. To protect yourself, update to a fixed version of MajorDoMo or patch the vulnerable file to prevent unauthorized access to sensitive data.

What to do

No fix is available yet. Check with your software vendor for updates.

Affected software
VendorProductAffected versionsFix available
mjdm majordomo All versions –
Original title
MajorDoMo (aka Major Domestic Module) contains an unauthenticated SQL injection vulnerability in the commands module. The commands_search.inc.php file directly interpolates the $_GET['parent'] para...
Original description
MajorDoMo (aka Major Domestic Module) contains an unauthenticated SQL injection vulnerability in the commands module. The commands_search.inc.php file directly interpolates the $_GET['parent'] parameter into multiple SQL queries without sanitization or parameterized queries. The commands module is loadable without authentication via the /objects/?module=commands endpoint, which includes arbitrary modules by name and calls their usual() method. Time-based blind SQL injection is exploitable using UNION SELECT SLEEP() syntax. Because MajorDoMo stores admin passwords as unsalted MD5 hashes in the users table, successful exploitation enables extraction of credentials and subsequent admin panel access.
nvd CVSS3.1 9.8
nvd CVSS4.0 8.8
Vulnerability type
CWE-89 SQL Injection
Published: 18 Feb 2026 · Updated: 11 Mar 2026 · First seen: 6 Mar 2026