CVE-2026-27174

Name of the Vulnerable Software and Affected Versions MajorDoMo (affected versions not specified)

Description Unauthenticated remote code execution is possible via the admin panel's PHP console feature. An include order bug in modules/panel.class.php allows execution to continue past a redirect() call that lacks an exit statement, enabling unauthenticated requests to reach the ajax handler in inc panel ajax.php. The console handler in that file passes user-supplied input from GET parameters (via register globals) directly to the eval() function without authentication checks. An attacker can execute arbitrary PHP code by sending a crafted GET request to the '/admin.php' endpoint using the ajax panel, op, and command parameters. Real-world exploitation has been observed using php/meterpreter/reverse tcp payloads.

Recommendations At the moment, there is no information about a newer version that contains a fix for this vulnerability.