Unrated severityNVD Advisory· Published Feb 18, 2026· Updated Mar 5, 2026

MajorDoMo Unauthenticated Remote Code Execution via Admin Console Eval

CVE-2026-27174

Description

MajorDoMo (aka Major Domestic Module) allows unauthenticated remote code execution via the admin panel's PHP console feature. An include order bug in modules/panel.class.php causes execution to continue past a redirect() call that lacks an exit statement, allowing unauthenticated requests to reach the ajax handler in inc_panel_ajax.php. The console handler within that file passes user-supplied input from GET parameters (via register_globals) directly to eval() without any authentication check. An attacker can execute arbitrary PHP code by sending a crafted GET request to /admin.php with ajax_panel, op, and command parameters.

Affected products

TYPO3/Majordomollm-fuzzy
sergejey/MajorDoMov5
Range: 0

Patches

No patches discovered yet.

Vulnerability mechanics

AI mechanics synthesis has not run for this CVE yet.

References

github.com/sergejey/majordomo/pull/1177mitrepatch
chocapikk.com/posts/2026/majordomo-revisited/mitrethird-party-advisory
www.vulncheck.com/advisories/majordomo-unauthenticated-remote-code-execution-via-admin-console-evalmitrethird-party-advisory

News mentions

⚡ Weekly Recap: Exchange 0-Day, npm Worm, Fake AI Repo, Cisco Exploit and More
The Hacker News · May 18, 2026
ThreatsDay Bulletin: $290M DeFi Hack, macOS LotL Abuse, ProxySmart SIM Farms +25 New Stories
The Hacker News · Apr 23, 2026

cvss	0.000
epss	0.068
exploit	0.030
kev	0.000
patch	0.000
ransomware	0.000