CVE-2026-27174
CRITICALMajorDoMo Unauthenticated Remote Code Execution via Admin Console Eval
CVSS v3
9.8
CRITICAL
EPSS Score
85.4%
exploit probability
CISA KEV
No
known exploited
Exploitation
poc
SSVC status
Description
MajorDoMo (aka Major Domestic Module) allows unauthenticated remote code execution via the admin panel's PHP console feature. An include order bug in modules/panel.class.php causes execution to continue past a redirect() call that lacks an exit statement, allowing unauthenticated requests to reach the ajax handler in inc_panel_ajax.php. The console handler within that file passes user-supplied input from GET parameters (via register_globals) directly to eval() without any authentication check. A
Technical Details
- CVSS v3 Vector
- 3.1
- Published
- 2/18/2026
- Last Modified
- 2/20/2026
Frequently Asked Questions
What is CVE-2026-27174?
MajorDoMo (aka Major Domestic Module) allows unauthenticated remote code execution via the admin panel's PHP console feature. An include order bug in modules/panel.class.php causes execution to continue past a redirect() call that lacks an exit statement, allowing unauthenticated requests to reach the ajax handler in inc_panel_ajax.php. The console handler within that file passes user-supplied input from GET parameters (via register_globals) directly to eval() without any authentication check. A
Is CVE-2026-27174 actively exploited?
A proof-of-concept exploit exists for CVE-2026-27174, but active exploitation has not been confirmed at this time.
What is the CVSS score for CVE-2026-27174?
CVE-2026-27174 has a CVSS v3 base score of 9.8 (CRITICAL severity), with vector string 3.1.
Is CVE-2026-27174 affecting your environment?
Use isMalicious to check if any of your IPs or domains are associated with this vulnerability's IOCs.