{"url":"http://public2.vulnerablecode.io/api/vulnerabilities/80211?format=json","vulnerability_id":"VCID-82kw-uuqz-skbn","summary":"MajorDoMo (aka Major Domestic Module) is vulnerable to unauthenticated OS command injection via rc/index.php. The $param variable from user input is interpolated into a command string within double quotes without sanitization via escapeshellarg(). The command is inserted into a database queue by safe_exec(), which performs no sanitization. The cycle_execs.php script, which is web-accessible without authentication, retrieves queued commands and passes them directly to exec(). An attacker can exploit a race condition by first triggering cycle_execs.php (which purges the queue and enters a polling loop), then injecting a malicious command via the rc endpoint while the worker is polling. The injected shell metacharacters expand inside double quotes, achieving remote code execution within one second.","aliases":[{"alias":"CVE-2026-27175"}],"fixed_packages":[],"affected_packages":[],"references":[{"reference_url":"https://api.first.org/data/v1/epss?cve=CVE-2026-27175","reference_id":"","reference_type":"","scores":[{"value":"0.25968","scoring_system":"epss","scoring_elements":"0.96397","published_at":"2026-06-11T12:55:00Z"},{"value":"0.25968","scoring_system":"epss","scoring_elements":"0.96412","published_at":"2026-06-14T12:55:00Z"},{"value":"0.25968","scoring_system":"epss","scoring_elements":"0.96408","published_at":"2026-06-13T12:55:00Z"}],"url":"https://api.first.org/data/v1/epss?cve=CVE-2026-27175"},{"reference_url":"https://github.com/sergejey/majordomo/pull/1177","reference_id":"1177","reference_type":"","scores":[{"value":"9.8","scoring_system":"cvssv3.1","scoring_elements":"CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H"},{"value":"9.2","scoring_system":"cvssv4","scoring_elements":"CVSS:4.0/AV:N/AC:L/AT:P/PR:N/UI:N/VC:H/VI:H/VA:H/SC:N/SI:N/SA:N"},{"value":"Track*","scoring_system":"ssvc","scoring_elements":"SSVCv2/E:P/A:Y/T:T/P:M/B:A/M:M/D:R/2026-02-26T16:20:08Z/"}],"url":"https://github.com/sergejey/majordomo/pull/1177"},{"reference_url":"https://www.vulncheck.com/advisories/majordomo-command-injection-in-rcindexphp-via-race-condition","reference_id":"majordomo-command-injection-in-rcindexphp-via-race-condition","reference_type":"","scores":[{"value":"9.8","scoring_system":"cvssv3.1","scoring_elements":"CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H"},{"value":"9.2","scoring_system":"cvssv4","scoring_elements":"CVSS:4.0/AV:N/AC:L/AT:P/PR:N/UI:N/VC:H/VI:H/VA:H/SC:N/SI:N/SA:N"},{"value":"Track*","scoring_system":"ssvc","scoring_elements":"SSVCv2/E:P/A:Y/T:T/P:M/B:A/M:M/D:R/2026-02-26T16:20:08Z/"}],"url":"https://www.vulncheck.com/advisories/majordomo-command-injection-in-rcindexphp-via-race-condition"},{"reference_url":"https://chocapikk.com/posts/2026/majordomo-revisited/","reference_id":"majordomo-revisited","reference_type":"","scores":[{"value":"9.8","scoring_system":"cvssv3.1","scoring_elements":"CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H"},{"value":"9.2","scoring_system":"cvssv4","scoring_elements":"CVSS:4.0/AV:N/AC:L/AT:P/PR:N/UI:N/VC:H/VI:H/VA:H/SC:N/SI:N/SA:N"},{"value":"Track*","scoring_system":"ssvc","scoring_elements":"SSVCv2/E:P/A:Y/T:T/P:M/B:A/M:M/D:R/2026-02-26T16:20:08Z/"}],"url":"https://chocapikk.com/posts/2026/majordomo-revisited/"}],"weaknesses":[{"cwe_id":78,"name":"Improper Neutralization of Special Elements used in an OS Command ('OS Command Injection')","description":"The product constructs all or part of an OS command using externally-influenced input from an upstream component, but it does not neutralize or incorrectly neutralizes special elements that could modify the intended OS command when it is sent to a downstream component."}],"exploits":[{"date_added":null,"description":"This module exploits an unauthenticated command injection vulnerability in MajorDoMo's\n          remote command handler (rc/index.php). The param parameter is interpolated into double\n          quotes without escapeshellarg(), and the resulting string is passed to safe_exec() which\n          inserts it into the safe_execs database table with no sanitization.\n\n          The cycle_execs.php worker script is web-accessible without authentication. On startup it\n          purges the safe_execs queue, then enters an infinite loop polling the table every second\n          and passing each command to exec(). A race condition is required: the worker must be\n          started first (which purges existing entries), then the injection is performed while the\n          worker is polling. The next iteration picks up and executes the attacker's payload.\n\n          The command parameter must reference a valid .bat file in rc/commands/. The default\n          MajorDoMo installation ships with shutdown.bat, displayon.bat, and displayoff.bat.\n\n          All versions of MajorDoMo up to and including the latest release are affected.\n          The fix is tracked in PR sergejey/majordomo#1177.","required_action":null,"due_date":null,"notes":"Stability:\n  - crash-safe\nReliability:\n  - repeatable-session\nSideEffects:\n  - ioc-in-logs\n","known_ransomware_campaign_use":false,"source_date_published":"2026-02-18","exploit_type":null,"platform":"Linux,Unix,Windows","source_date_updated":null,"data_source":"Metasploit","source_url":"https://github.com/rapid7/metasploit-framework/tree/master/modules/exploits/multi/http/majordomo_cmd_injection_rce.rb"}],"severity_range_score":"9.2 - 9.8","exploitability":null,"weighted_severity":null,"risk_score":null,"resource_url":"http://public2.vulnerablecode.io/vulnerabilities/VCID-82kw-uuqz-skbn"}