Unauthenticated SQL Injection in MajorDoMo by MajorDoMo
CVE-2026-27179

8.8HIGH

Key Information:

Vendor: Sergejey
Status: Majordomo
Vendor: CVE Published:; 18 February 2026

What is CVE-2026-27179?

MajorDoMo, a home automation framework, contains a significant SQL injection vulnerability within its commands module. The flaw arises from a lack of input sanitization in the commands_search.inc.php file, where the $_GET['parent'] parameter is directly interpolated into SQL queries. This issue is particularly concerning as the commands module can be accessed unauthenticated via the /objects/?module=commands endpoint, which allows attackers to invoke arbitrary modules. By leveraging time-based blind SQL injection techniques with UNION SELECT SLEEP() syntax, an attacker can exploit this vulnerability to extract sensitive information, including unsalted MD5 hashed admin passwords stored in the users table. Successfully exploiting this vulnerability could ultimately grant an attacker access to the admin panel, posing serious risks to data integrity and security.

Affected Version(s)

MajorDoMo 0

References

https://chocapikk.com/posts/2026/majordomo-revisited/

third-party-advisory

https://github.com/sergejey/majordomo/pull/1177

patch

https://www.vulncheck.com/advisories/majordomo-unauthenti...

third-party-advisory

CVSS V4

Score:

8.8

Severity:

HIGH

Confidentiality:

High

Integrity:

Low

Availability:

None

Attack Vector:

Network

Attack Complexity:

Low

Attack Required:

None

Privileges Required:

Undefined

User Interaction:

None

Download the Critical Vulnerability Management Cheat Sheet

Timeline

Vulnerability published
Feb 18, 2026
Vulnerability Reserved
Feb 18, 2026

Credit

Valentin Lobstein

CVE-2026-27179 Data

JSON

Sergejey

What is CVE-2026-27179?

Affected Version(s)

References

CVSS V4

Timeline

Credit