Cyber Resilience

CVE-2026-27175

CriticalPublic PoCRCE

Published: 18 February 2026

Published
18 February 2026
Modified
20 February 2026
KEV Added
Patch
CVSS Score v4 9.2 CVSS:4.0/AV:N/AC:L/AT:P/PR:N/UI:N/VC:H/VI:H/VA:H/SC:N/SI:N/SA:N/E:X/CR:X/IR:X/AR:X/MAV:X/MAC:X/MAT:X/MPR:X/MUI:X/MVC:X/MVI:X/MVA:X/MSC:X/MSI:X/MSA:X/S:X/AU:X/R:X/V:X/RE:X/U:X
EPSS Score 0.0687 93.2th percentile
Risk Priority 70 floored blend · peak EPSS

Summary

CVE-2026-27175 is a critical-severity OS Command Injection (CWE-78) vulnerability in Mjdm Majordomo. Its CVSS base score is 9.2 (Critical).

Operationally, exploitation aligns with the MITRE ATT&CK technique Exploit Public-Facing Application (T1190); ranked in the top 6.8% of CVEs by exploit likelihood; it is not currently listed in the CISA KEV catalog; a public proof-of-concept is referenced.

The strongest mitigations our analysis identified are NIST 800-53 AC-14 (Permitted Actions Without Identification or Authentication) and SI-10 (Information Input Validation).

Deeper analysis

CVE-2026-27175, published on 2026-02-18, is a critical unauthenticated OS command injection vulnerability (CWE-78, CVSS 9.8: AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H) affecting MajorDoMo (aka Major Domestic Module), an open-source home automation platform. The issue resides in the rc/index.php endpoint, where the user-supplied $param variable is interpolated directly into a command string within double quotes without proper sanitization, such as via escapeshellarg(). This command is then inserted into a database queue by the safe_exec() function, which performs no additional sanitization.

An unauthenticated remote attacker can exploit this via a race condition to achieve remote code execution. The web-accessible cycle_execs.php script, lacking authentication, retrieves queued commands and passes them directly to exec(). By first triggering cycle_execs.php—which purges the queue and enters a polling loop—the attacker can then inject a malicious command through the rc endpoint while the worker polls. Shell metacharacters in the payload expand inside the double-quoted string, enabling RCE within one second.

Advisories from VulnCheck and a Chocapikk blog post detail the issue, while mitigation is provided via GitHub pull request #1177 in the sergejey/majordomo repository, which addresses the injection flaw.

OWASP Top 10 for Web (2025)

EU & UK References

Vulnerability details

MajorDoMo (aka Major Domestic Module) is vulnerable to unauthenticated OS command injection via rc/index.php. The $param variable from user input is interpolated into a command string within double quotes without sanitization via escapeshellarg(). The command is inserted into a database…

more

queue by safe_exec(), which performs no sanitization. The cycle_execs.php script, which is web-accessible without authentication, retrieves queued commands and passes them directly to exec(). An attacker can exploit a race condition by first triggering cycle_execs.php (which purges the queue and enters a polling loop), then injecting a malicious command via the rc endpoint while the worker is polling. The injected shell metacharacters expand inside double quotes, achieving remote code execution within one second.

CWE(s)

Related Threats

MITRE ATT&CK Enterprise TechniquesAI

T1190 Exploit Public-Facing Application Initial Access
Adversaries may attempt to exploit a weakness in an Internet-facing host or system to initially access a network.
T1059.004 Unix Shell Execution
Adversaries may abuse Unix shell commands and scripts for execution.
Why these techniques?

CVE enables unauthenticated RCE via OS command injection in a public-facing web application (T1190) using Unix shell metacharacters (T1059.004).

Confidence: HIGH · MITRE ATT&CK Enterprise v19.0

CVEs Like This One

CVE-2026-27174Same product: Mjdm Majordomo
CVE-2026-27179Same product: Mjdm Majordomo
CVE-2026-27181Same product: Mjdm Majordomo
CVE-2026-27180Same product: Mjdm Majordomo
CVE-2026-27177Same product: Mjdm Majordomo
CVE-2026-27178Same product: Mjdm Majordomo
CVE-2018-25115Shared CWE-78
CVE-2025-24382Shared CWE-78
CVE-2026-29058Shared CWE-78
CVE-2024-57016Shared CWE-78

Affected Assets

mjdm
majordomo
all versions

Mitigating Controls

Mitigating Controls (NIST 800-53 r5) AI

prevent

Requires validation and sanitization of user-supplied inputs like $param before interpolation into command strings, directly preventing OS command injection.

prevent

Limits permitted actions without identification or authentication, such as access to unauthenticated endpoints rc/index.php and cycle_execs.php that enable command queuing and execution.

prevent

Mandates timely identification, reporting, and correction of flaws like this command injection vulnerability, including application of fixes such as GitHub PR #1177.

References