CVE-2026-27181

Name of the Vulnerable Software and Affected Versions MajorDoMo versions (affected versions not specified)

Description The software allows unauthenticated arbitrary module uninstallation through the market module. The admin() method within the market module retrieves gr('mode') from the $ REQUEST parameter and assigns it to $this->mode, enabling access to all mode-gated code paths without authentication via the ''/objects/?module=market'' API endpoint. The uninstall mode handler calls the uninstallPlugin() function, which deletes module records from the database, executes the module's uninstall() method using eval(), recursively deletes the module's directory and template files using removeTree(), and removes associated cycle scripts. An attacker can send a series of unauthenticated GET requests to wipe the entire installation.

Recommendations At the moment, there is no information about a newer version that contains a fix for this vulnerability.