Unauthenticated Arbitrary Module Uninstallation in MajorDoMo by Chocapikk
CVE-2026-27181

8.7HIGH

Key Information:

Vendor: Sergejey
Status: Majordomo
Vendor: CVE Published:; 18 February 2026

What is CVE-2026-27181?

The MajorDoMo application is vulnerable to an unauthenticated arbitrary module uninstallation through its market module. The vulnerability stems from the market module's admin() method, which assigns user input to a mode variable directly from the $_REQUEST array. This allows an attacker to exploit the /objects/?module=market endpoint to access all mode-gated functionalities without needing authentication. By sending a series of unauthenticated GET requests, an attacker can execute the uninstallPlugin() function, which subsequently deletes critical module records, executes uninstall scripts, and removes related files from the server. This vulnerability poses a significant risk as it enables the complete removal of a MajorDoMo installation, leading to extensive data loss and service disruption.

Affected Version(s)

MajorDoMo 0

References

https://chocapikk.com/posts/2026/majordomo-revisited/

third-party-advisory

https://github.com/sergejey/majordomo/pull/1177

patch

https://www.vulncheck.com/advisories/majordomo-unauthenti...

third-party-advisory

CVSS V4

Score:

8.7

Severity:

HIGH

Confidentiality:

None

Integrity:

None

Availability:

High

Attack Vector:

Network

Attack Complexity:

Low

Attack Required:

None

Privileges Required:

Undefined

User Interaction:

None

Download the Critical Vulnerability Management Cheat Sheet

Timeline

Vulnerability published
Feb 18, 2026
Vulnerability Reserved
Feb 18, 2026

Credit

Valentin Lobstein

CVE-2026-27181 Data

JSON

Sergejey

What is CVE-2026-27181?

Affected Version(s)

References

CVSS V4

Timeline

Credit