CVE-2026-27179

Name of the Vulnerable Software and Affected Versions MajorDoMo (affected versions not specified)

Description MajorDoMo contains an unauthenticated SQL injection issue in the commands module. The commands search.inc.php file directly uses the $ GET['parent'] parameter in SQL queries without proper sanitization or parameterized queries. The /objects/?module=commands API endpoint allows loading arbitrary modules without authentication, calling their usual() method. This allows exploitation through time-based blind SQL injection using UNION SELECT SLEEP() syntax. Successful exploitation can lead to the extraction of admin credentials, which are stored as unsalted MD5 hashes in the users table, and subsequent access to the admin panel.

Recommendations At the moment, there is no information about a newer version that contains a fix for this vulnerability.