CVE-2026-27179
Published: 18 February 2026
Summary
CVE-2026-27179 is a high-severity SQL Injection (CWE-89) vulnerability in Mjdm Majordomo. Its CVSS base score is 8.2 (High).
Operationally, exploitation aligns with the MITRE ATT&CK technique Exploit Public-Facing Application (T1190); ranked at the 13.8th percentile by exploit likelihood (below the median); it is not currently listed in the CISA KEV catalog; a public proof-of-concept is referenced.
The strongest mitigations our analysis identified are NIST 800-53 SI-10 (Information Input Validation) and SI-2 (Flaw Remediation).
Threat & Defense at a Glance
Threat & Defense Details
Mitigating Controls (NIST 800-53 r5)AI
Directly requires validation of the unsanitized $_GET['parent'] parameter to prevent its interpolation into SQL queries, comprehensively addressing the SQL injection vulnerability.
Mandates identification, reporting, and correction of the specific unauthenticated SQL injection flaw in commands_search.inc.php, enabling patching as referenced in advisories.
Limits permitted actions without authentication, such as loading the vulnerable commands module via /objects/?module=commands, reducing unauthenticated exploitation opportunities.
MITRE ATT&CK Enterprise TechniquesAI
Why these techniques?
Unauthenticated SQL injection in publicly reachable web module (T1190) directly enables extraction of arbitrary data including credentials from the backend database (T1213.006).
NVD Description
MajorDoMo (aka Major Domestic Module) contains an unauthenticated SQL injection vulnerability in the commands module. The commands_search.inc.php file directly interpolates the $_GET['parent'] parameter into multiple SQL queries without sanitization or parameterized queries. The commands module is loadable without authentication via…
more
the /objects/?module=commands endpoint, which includes arbitrary modules by name and calls their usual() method. Time-based blind SQL injection is exploitable using UNION SELECT SLEEP() syntax. Because MajorDoMo stores admin passwords as unsalted MD5 hashes in the users table, successful exploitation enables extraction of credentials and subsequent admin panel access.
Deeper analysisAI
CVE-2026-27179 is an unauthenticated SQL injection vulnerability in MajorDoMo (also known as Major Domestic Module), specifically within the commands module. The issue stems from the commands_search.inc.php file, which directly interpolates the $_GET['parent'] parameter into multiple SQL queries without sanitization or parameterized queries. The commands module is loadable without authentication via the /objects/?module=commands endpoint, which includes arbitrary modules by name and calls their usual() method. Published on 2026-02-18, the vulnerability carries a CVSS v3.1 base score of 8.2 (AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:L/A:N) and maps to CWE-89.
Attackers with network access can exploit this as unauthenticated users through time-based blind SQL injection, such as via UNION SELECT SLEEP() syntax. Successful exploitation allows extraction of data from the database, including admin passwords stored as unsalted MD5 hashes in the users table. This enables attackers to obtain credentials and gain subsequent access to the admin panel.
Advisories and patches addressing mitigation are detailed in VulnCheck's advisory at https://www.vulncheck.com/advisories/majordomo-unauthenticated-sql-injection-in-commands-module, a GitHub pull request at https://github.com/sergejey/majordomo/pull/1177, and analysis at https://chocapikk.com/posts/2026/majordomo-revisited/. Security practitioners should consult these resources for patch deployment and hardening recommendations.
Details
- CWE(s)