CVE-2026-27180

MajorDoMo (aka Major Domestic Module) is vulnerable to unauthenticated remote code execution through supply chain compromise via update URL poisoning. The saverestore module exposes its admin() method through the /objects/?module=saverestore endpoint without authentication because it uses gr('mode') (which reads directly from $_REQUEST) instead of the framework's $this->mode. An attacker can poison the system update URL via the auto_update_settings mode handler, then trigger the force_update handler to initiate the update chain. The autoUpdateSystem() method fetches an Atom feed from the attacker-controlled URL with trivial validation, downloads a tarball via curl with TLS verification disabled (CURLOPT_SSL_VERIFYPEER set to FALSE), extracts it using exec('tar xzvf ...'), and copies all extracted files to the document root using copyTree(). This allows an attacker to deploy arbitrary PHP files, including webshells, to the webroot with two GET requests.

CVSS v3 9.8 CRITICAL

9.8^/10

CVSS v3 : CRITICAL

Vector :

Exploitability : 3.9 / Impact : 5.9

Attack Vector NETWORK

Attack Complexity LOW

Privileges Required NONE

User Interaction NONE

Confidentiality Impact HIGH

Integrity Impact HIGH

Availability Impact HIGH

Scope UNCHANGED

References

Link	Resource
https://chocapikk.com/posts/2026/majordomo-revisited/	Exploit Third Party Advisory
https://github.com/sergejey/majordomo/pull/1177	Exploit Issue Tracking
https://www.vulncheck.com/advisories/majordomo-supply-chain-remote-code-execution-via-update-url-poisoning	Third Party Advisory

Configurations

Configuration 1 (hide)

cpe:2.3:a:mjdm:majordomo:-:*:*:*:*:*:*:*

History

No history.

Information

Published : 2026-02-18 22:16

Updated : 2026-02-20 19:51

NVD link : CVE-2026-27180

Mitre link : CVE-2026-27180

CVE.ORG link : CVE-2026-27180

JSON object : View

Products Affected

mjdm

majordomo

CWE

CWE-494

Download of Code Without Integrity Check

{"id": "CVE-2026-27180", "cveTags": [], "metrics": {"cvssMetricV31": [{"type": "Primary", "source": "disclosure@vulncheck.com", "cvssData": {"scope": "UNCHANGED", "version": "3.1", "baseScore": 9.8, "attackVector": "NETWORK", "baseSeverity": "CRITICAL", "vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H", "integrityImpact": "HIGH", "userInteraction": "NONE", "attackComplexity": "LOW", "availabilityImpact": "HIGH", "privilegesRequired": "NONE", "confidentialityImpact": "HIGH"}, "impactScore": 5.9, "exploitabilityScore": 3.9}], "cvssMetricV40": [{"type": "Secondary", "source": "disclosure@vulncheck.com", "cvssData": {"Safety": "NOT_DEFINED", "version": "4.0", "Recovery": "NOT_DEFINED", "baseScore": 9.3, "Automatable": "NOT_DEFINED", "attackVector": "NETWORK", "baseSeverity": "CRITICAL", "valueDensity": "NOT_DEFINED", "vectorString": "CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:N/VC:H/VI:H/VA:H/SC:N/SI:N/SA:N/E:X/CR:X/IR:X/AR:X/MAV:X/MAC:X/MAT:X/MPR:X/MUI:X/MVC:X/MVI:X/MVA:X/MSC:X/MSI:X/MSA:X/S:X/AU:X/R:X/V:X/RE:X/U:X", "exploitMaturity": "NOT_DEFINED", "providerUrgency": "NOT_DEFINED", "userInteraction": "NONE", "attackComplexity": "LOW", "attackRequirements": "NONE", "privilegesRequired": "NONE", "subIntegrityImpact": "NONE", "vulnIntegrityImpact": "HIGH", "integrityRequirement": "NOT_DEFINED", "modifiedAttackVector": "NOT_DEFINED", "subAvailabilityImpact": "NONE", "vulnAvailabilityImpact": "HIGH", "availabilityRequirement": "NOT_DEFINED", "modifiedUserInteraction": "NOT_DEFINED", "modifiedAttackComplexity": "NOT_DEFINED", "subConfidentialityImpact": "NONE", "vulnConfidentialityImpact": "HIGH", "confidentialityRequirement": "NOT_DEFINED", "modifiedAttackRequirements": "NOT_DEFINED", "modifiedPrivilegesRequired": "NOT_DEFINED", "modifiedSubIntegrityImpact": "NOT_DEFINED", "modifiedVulnIntegrityImpact": "NOT_DEFINED", "vulnerabilityResponseEffort": "NOT_DEFINED", "modifiedSubAvailabilityImpact": "NOT_DEFINED", "modifiedVulnAvailabilityImpact": "NOT_DEFINED", "modifiedSubConfidentialityImpact": "NOT_DEFINED", "modifiedVulnConfidentialityImpact": "NOT_DEFINED"}}]}, "published": "2026-02-18T22:16:26.153", "references": [{"url": "https://chocapikk.com/posts/2026/majordomo-revisited/", "tags": ["Exploit", "Third Party Advisory"], "source": "disclosure@vulncheck.com"}, {"url": "https://github.com/sergejey/majordomo/pull/1177", "tags": ["Exploit", "Issue Tracking"], "source": "disclosure@vulncheck.com"}, {"url": "https://www.vulncheck.com/advisories/majordomo-supply-chain-remote-code-execution-via-update-url-poisoning", "tags": ["Third Party Advisory"], "source": "disclosure@vulncheck.com"}], "vulnStatus": "Analyzed", "weaknesses": [{"type": "Primary", "source": "disclosure@vulncheck.com", "description": [{"lang": "en", "value": "CWE-494"}]}], "descriptions": [{"lang": "en", "value": "MajorDoMo (aka Major Domestic Module) is vulnerable to unauthenticated remote code execution through supply chain compromise via update URL poisoning. The saverestore module exposes its admin() method through the /objects/?module=saverestore endpoint without authentication because it uses gr('mode') (which reads directly from $_REQUEST) instead of the framework's $this->mode. An attacker can poison the system update URL via the auto_update_settings mode handler, then trigger the force_update handler to initiate the update chain. The autoUpdateSystem() method fetches an Atom feed from the attacker-controlled URL with trivial validation, downloads a tarball via curl with TLS verification disabled (CURLOPT_SSL_VERIFYPEER set to FALSE), extracts it using exec('tar xzvf ...'), and copies all extracted files to the document root using copyTree(). This allows an attacker to deploy arbitrary PHP files, including webshells, to the webroot with two GET requests."}, {"lang": "es", "value": "MajorDoMo (tambi\u00e9n conocido como Major Domestic Module) es vulnerable a la ejecuci\u00f3n remota de c\u00f3digo no autenticada a trav\u00e9s de un compromiso de la cadena de suministro mediante el envenenamiento de la URL de actualizaci\u00f3n. El m\u00f3dulo saverestore expone su m\u00e9todo admin() a trav\u00e9s del endpoint /objects/?module=saverestore sin autenticaci\u00f3n porque usa gr('mode') (que lee directamente de $_REQUEST) en lugar del $this->mode del framework. Un atacante puede envenenar la URL de actualizaci\u00f3n del sistema a trav\u00e9s del manejador de modo auto_update_settings, y luego activar el manejador force_update para iniciar la cadena de actualizaci\u00f3n. El m\u00e9todo autoUpdateSystem() obtiene un feed Atom de la URL controlada por el atacante con una validaci\u00f3n trivial, descarga un tarball v\u00eda curl con la verificaci\u00f3n TLS deshabilitada (CURLOPT_SSL_VERIFYPEER establecido en FALSE), lo extrae usando exec('tar xzvf ...'), y copia todos los archivos extra\u00eddos a la ra\u00edz del documento usando copyTree(). Esto permite a un atacante desplegar archivos PHP arbitrarios, incluyendo webshells, en la ra\u00edz web con dos solicitudes GET."}], "lastModified": "2026-02-20T19:51:21.530", "configurations": [{"nodes": [{"negate": false, "cpeMatch": [{"criteria": "cpe:2.3:a:mjdm:majordomo:-:*:*:*:*:*:*:*", "vulnerable": true, "matchCriteriaId": "7008978E-8DE1-4811-958F-3AFB3847B919"}], "operator": "OR"}]}], "sourceIdentifier": "disclosure@vulncheck.com"}