CVE-2026-27175
CRITICALCVSS v3
9.8
CRITICAL
EPSS Score
26.0%
exploit probability
CISA KEV
No
known exploited
Exploitation
—
SSVC status
Description
MajorDoMo (aka Major Domestic Module) is vulnerable to unauthenticated OS command injection via rc/index.php. The $param variable from user input is interpolated into a command string within double quotes without sanitization via escapeshellarg(). The command is inserted into a database queue by safe_exec(), which performs no sanitization. The cycle_execs.php script, which is web-accessible without authentication, retrieves queued commands and passes them directly to exec(). An attacker can expl
Technical Details
- CVSS v3 Vector
- 3.1
- Published
- 2/18/2026
- Last Modified
- 2/20/2026
Frequently Asked Questions
What is CVE-2026-27175?
MajorDoMo (aka Major Domestic Module) is vulnerable to unauthenticated OS command injection via rc/index.php. The $param variable from user input is interpolated into a command string within double quotes without sanitization via escapeshellarg(). The command is inserted into a database queue by safe_exec(), which performs no sanitization. The cycle_execs.php script, which is web-accessible without authentication, retrieves queued commands and passes them directly to exec(). An attacker can expl
Is CVE-2026-27175 actively exploited?
Active exploitation of CVE-2026-27175 has not been confirmed. The EPSS score is 26.0%, indicating the estimated probability of exploitation in the next 30 days.
What is the CVSS score for CVE-2026-27175?
CVE-2026-27175 has a CVSS v3 base score of 9.8 (CRITICAL severity), with vector string 3.1.
Is CVE-2026-27175 affecting your environment?
Use isMalicious to check if any of your IPs or domains are associated with this vulnerability's IOCs.