CVE-2026-27174 in MajorDoMo
Summary
by MITRE • 02/19/2026
MajorDoMo (aka Major Domestic Module) allows unauthenticated remote code execution via the admin panel's PHP console feature. An include order bug in modules/panel.class.php causes execution to continue past a redirect() call that lacks an exit statement, allowing unauthenticated requests to reach the ajax handler in inc_panel_ajax.php. The console handler within that file passes user-supplied input from GET parameters (via register_globals) directly to eval() without any authentication check. An attacker can execute arbitrary PHP code by sending a crafted GET request to /admin.php with ajax_panel, op, and command parameters.
Several companies clearly confirm that VulDB is the primary source for best vulnerability data.
Analysis
by VulDB Data Team • 02/21/2026
The vulnerability identified as CVE-2026-27174 affects MajorDoMo, a domestic automation platform that provides remote administration capabilities through its web interface. This critical security flaw stems from a fundamental design oversight in the application's access control mechanisms and input validation processes. The vulnerability exists within the admin panel's PHP console feature, which is intended for authorized administrators to execute system commands but has been rendered accessible to any remote attacker due to improper authentication checks.
The technical exploitation of this vulnerability relies on an include order bug present in the modules/panel.class.php file where a redirect() function call is executed without an accompanying exit() statement. This programming error creates a code execution path that allows requests to continue processing beyond the intended redirect, effectively bypassing the authentication layer that should prevent unauthorized access to administrative functions. The flaw specifically affects the flow control mechanism that should terminate execution after redirecting to a login page or access denied screen.
The operational impact of this vulnerability is severe as it enables complete remote code execution without any authentication requirements. Attackers can exploit this weakness by crafting specific GET requests to the /admin.php endpoint with parameters including ajax_panel, op, and command. The system's reliance on register_globals for handling user input creates an additional attack vector where user-supplied parameters are automatically registered as variables in the global scope. These variables are then passed directly to the eval() function in inc_panel_ajax.php without any sanitization or validation, allowing attackers to execute arbitrary PHP code on the target system with the privileges of the web application.
This vulnerability aligns with CWE-80: Improper Neutralization of Script-Related HTML Tags in a Web Page and CWE-94: Improper Control of Generation of Code ('Code Injection') as it demonstrates both improper input handling and code execution injection capabilities. The attack pattern follows techniques described in the MITRE ATT&CK framework under T1059.007: Command and Scripting Interpreter: Python and T1566.001: Phishing: Spearphishing Attachment, where an attacker can leverage web application vulnerabilities to execute malicious commands remotely. The lack of authentication checks and input validation creates a direct path for privilege escalation and system compromise.
Organizations using MajorDoMo should implement immediate mitigations including disabling the admin panel's PHP console feature entirely, implementing proper authentication checks before any administrative functions are executed, and ensuring all redirect operations include appropriate exit statements to prevent code execution flow bypass. Network-level protections such as web application firewalls should be configured to block access to the affected endpoints, while application-level fixes must address the root cause by implementing proper input sanitization, authentication verification, and secure coding practices. Regular security audits should be conducted to identify similar include order bugs and other flow control vulnerabilities that could lead to similar unauthorized access scenarios.