CVE-2026-27180

Name of the Vulnerable Software and Affected Versions MajorDoMo versions (affected versions not specified)

Description MajorDoMo is subject to unauthenticated remote code execution resulting from a supply chain compromise via update URL poisoning. The saverestore module’s admin() method is accessible without authentication through the /objects/?module=saverestore API endpoint, as it utilizes gr('mode') which directly reads from $ REQUEST instead of framework-provided security measures. An attacker can manipulate the system update URL through the auto update settings mode handler and then trigger the force update handler to initiate the update process. The autoUpdateSystem() function retrieves an Atom feed from a URL controlled by the attacker, with minimal validation. It then downloads a tarball using curl with TLS verification disabled (CURLOPT SSL VERIFYPEER set to FALSE), extracts the contents using exec('tar xzvf ...'), and copies the extracted files to the document root using copyTree(). This enables an attacker to deploy arbitrary PHP files, including webshells, to the webroot with two GET requests.

Recommendations At the moment, there is no information about a newer version that contains a fix for this vulnerability.