CVE-2026-27175
Published: 18 February 2026
Description
MajorDoMo (aka Major Domestic Module) is vulnerable to unauthenticated OS command injection via rc/index.php. The $param variable from user input is interpolated into a command string within double quotes without sanitization via escapeshellarg(). The command is inserted into a database…
more
queue by safe_exec(), which performs no sanitization. The cycle_execs.php script, which is web-accessible without authentication, retrieves queued commands and passes them directly to exec(). An attacker can exploit a race condition by first triggering cycle_execs.php (which purges the queue and enters a polling loop), then injecting a malicious command via the rc endpoint while the worker is polling. The injected shell metacharacters expand inside double quotes, achieving remote code execution within one second.
Mitigating Controls (NIST 800-53 r5)AI
Requires validation and sanitization of user-supplied inputs like $param before interpolation into command strings, directly preventing OS command injection.
Limits permitted actions without identification or authentication, such as access to unauthenticated endpoints rc/index.php and cycle_execs.php that enable command queuing and execution.
Mandates timely identification, reporting, and correction of flaws like this command injection vulnerability, including application of fixes such as GitHub PR #1177.
Security SummaryAI
CVE-2026-27175, published on 2026-02-18, is a critical unauthenticated OS command injection vulnerability (CWE-78, CVSS 9.8: AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H) affecting MajorDoMo (aka Major Domestic Module), an open-source home automation platform. The issue resides in the rc/index.php endpoint, where the user-supplied $param variable is interpolated directly into a command string within double quotes without proper sanitization, such as via escapeshellarg(). This command is then inserted into a database queue by the safe_exec() function, which performs no additional sanitization.
An unauthenticated remote attacker can exploit this via a race condition to achieve remote code execution. The web-accessible cycle_execs.php script, lacking authentication, retrieves queued commands and passes them directly to exec(). By first triggering cycle_execs.php—which purges the queue and enters a polling loop—the attacker can then inject a malicious command through the rc endpoint while the worker polls. Shell metacharacters in the payload expand inside the double-quoted string, enabling RCE within one second.
Advisories from VulnCheck and a Chocapikk blog post detail the issue, while mitigation is provided via GitHub pull request #1177 in the sergejey/majordomo repository, which addresses the injection flaw.
Details
- CWE(s)
Affected Products
MITRE ATT&CK Enterprise TechniquesAI
Why these techniques?
CVE enables unauthenticated RCE via OS command injection in a public-facing web application (T1190) using Unix shell metacharacters (T1059.004).