CVE-2026-27175

Name of the Vulnerable Software and Affected Versions MajorDoMo versions (affected versions not specified)

Description MajorDoMo is susceptible to unauthenticated OS command injection through the ‘rc/index.php’ component. The $param variable, sourced from user input, is incorporated into a command string within double quotes without proper sanitization using escapeshellarg(). This command is then placed in a database queue by the safe exec() function, which does not perform any sanitization. The cycle execs.php script, accessible via the web without authentication, retrieves commands from the queue and executes them directly using exec(). An attacker can exploit a race condition by triggering cycle execs.php to clear the queue and initiate a polling loop, then injecting a malicious command through the ‘rc’ endpoint while the worker is polling. This allows for remote code execution due to the expansion of shell metacharacters within double quotes.

Recommendations At the moment, there is no information about a newer version that contains a fix for this vulnerability.