Vulnerability Description
MajorDoMo (aka Major Domestic Module) is vulnerable to unauthenticated remote code execution through supply chain compromise via update URL poisoning. The saverestore module exposes its admin() method through the /objects/?module=saverestore endpoint without authentication because it uses gr('mode') (which reads directly from $_REQUEST) instead of the framework's $this->mode. An attacker can poison the system update URL via the auto_update_settings mode handler, then trigger the force_update handler to initiate the update chain. The autoUpdateSystem() method fetches an Atom feed from the attacker-controlled URL with trivial validation, downloads a tarball via curl with TLS verification disabled (CURLOPT_SSL_VERIFYPEER set to FALSE), extracts it using exec('tar xzvf ...'), and copies all extracted files to the document root using copyTree(). This allows an attacker to deploy arbitrary PHP files, including webshells, to the webroot with two GET requests.
CVSS Score
CRITICAL
Affected Products
| Vendor | Product | Versions |
|---|---|---|
| Mjdm | Majordomo | - |
Related Weaknesses (CWE)
References
- https://chocapikk.com/posts/2026/majordomo-revisited/ExploitThird Party Advisory
- https://github.com/sergejey/majordomo/pull/1177ExploitIssue Tracking
- https://www.vulncheck.com/advisories/majordomo-supply-chain-remote-code-executioThird Party Advisory
FAQ
What is CVE-2026-27180?
CVE-2026-27180 is a vulnerability with a CVSS score of 9.8 (CRITICAL). MajorDoMo (aka Major Domestic Module) is vulnerable to unauthenticated remote code execution through supply chain compromise via update URL poisoning. The saverestore module exposes its admin() method...
How severe is CVE-2026-27180?
CVE-2026-27180 has been rated CRITICAL with a CVSS base score of 9.8/10. This is considered a critical vulnerability requiring immediate attention.
Is there a patch for CVE-2026-27180?
Check the references section above for vendor advisories and patch information. Affected products include: Mjdm Majordomo.