Remote Code Execution Vulnerability in MajorDoMo by MajorDoMo Company
CVE-2026-27180

9.3CRITICAL

Key Information:

Vendor: Sergejey
Status: Majordomo
Vendor: CVE Published:; 18 February 2026

What is CVE-2026-27180?

MajorDoMo is susceptible to unauthenticated remote code execution due to a vulnerability that arises from supply chain compromise through update URL poisoning. The saverestore module facilitates access through its admin() method at the /objects/?module=saverestore endpoint without requiring authentication. This occurs because the system improperly handles requests, allowing an attacker to manipulate the system update URL via the auto_update_settings mode handler. They can then trigger the force_update handler, which fetches an Atom feed from a malicious URL, performs an insecure download, and executes arbitrary commands, including the installation of webshells, directly into the document root. This vulnerability highlights significant security risks associated with improper input validation and unprotected update mechanisms.

Affected Version(s)

MajorDoMo 0

References

https://chocapikk.com/posts/2026/majordomo-revisited/

third-party-advisory

https://github.com/sergejey/majordomo/pull/1177

patch

https://www.vulncheck.com/advisories/majordomo-supply-cha...

third-party-advisory

EPSS Score

47% chance of being exploited in the next 30 days.

CVSS V4

Score:

9.3

Severity:

CRITICAL

Confidentiality:

High

Integrity:

High

Availability:

High

Attack Vector:

Network

Attack Complexity:

Low

Attack Required:

None

Privileges Required:

Undefined

User Interaction:

None

Download the Critical Vulnerability Management Cheat Sheet

Timeline

Vulnerability published
Feb 18, 2026
Vulnerability Reserved
Feb 18, 2026

Credit

Valentin Lobstein

CVE-2026-27180 Data

JSON

Sergejey

What is CVE-2026-27180?

Affected Version(s)

References

EPSS Score

CVSS V4

Timeline

Credit