CVE-2026-27174

CVE-2026-27174 is a critical remote code execution vulnerability in MajorDoMo (also known as Major Domestic Module), an open-source home automation platform. The flaw affects the admin panel's PHP console feature due to an include order bug in modules/panel.class.php, which allows execution to proceed past a redirect() call lacking an exit statement. This permits unauthenticated requests to reach the ajax handler in inc_panel_ajax.php, where user-supplied input from GET parameters is passed directly to eval() without authentication checks, exacerbated by the use of register_globals.

Any unauthenticated remote attacker can exploit this vulnerability by sending a crafted GET request to /admin.php with the ajax_panel, op, and command parameters containing arbitrary PHP code. Successful exploitation results in full remote code execution on the affected server, providing complete control over the system. The vulnerability has a CVSS v3.1 base score of 9.8 (AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H) and is classified under CWE-94 (Improper Control of Generation of Code).

Advisories and patches are available via referenced sources, including a detailed technical post at https://chocapikk.com/posts/2026/majordomo-revisited/, a fix pull request at https://github.com/sergejey/majordomo/pull/1177, and a VulnCheck advisory at https://www.vulncheck.com/advisories/majordomo-unauthenticated-remote-code-execution-via-admin-console-eval. Security practitioners should consult these for specific mitigation guidance, such as applying the upstream patch.