MajorDoMo (aka Major Domestic Module) is vulnerable to unauthenticated remote code execution through supply chain compromise via update URL poisoning. The saverestore module exposes its admin() method through the /objects/?module=saverestore endpoint without authentication because it uses gr('mode') (which reads directly from $_REQUEST) instead of the framework's $this->mode. An attacker can poison the system update URL via the auto_update_settings mode handler, then trigger the force_update handler to initiate the update chain. The autoUpdateSystem() method fetches an Atom feed from the attacker-controlled URL with trivial validation, downloads a tarball via curl with TLS verification disabled (CURLOPT_SSL_VERIFYPEER set to FALSE), extracts it using exec('tar xzvf ...'), and copies all extracted files to the document root using copyTree(). This allows an attacker to deploy arbitrary PHP files, including webshells, to the webroot with two GET requests.
CVE-2026-27180
Score 9.8 from GitHub Security Advisory (severity: CRITICAL) published 2026-02-19. the CNA's CVSS baseline 9.8; sources differ by 0.0.
- High severity, but no confirmed exploitation yet
No vendor fix yet — apply a workaround or compensating control (WAF / firewall / segmentation) and watch for a patch.
- CVSS v3
- 9.8
- EG Score
- 9.8(medium)
- EPSS
- 61.3%
- KEV
- Not listed
Published
February 18, 2026
Last Modified
June 23, 2026
Advisory Details (3)
Auto-updated Jul 4, 2026MajorDoMo Supply Chain Remote Code Execution via Update URL Poisoning | Advisories | VulnCheck
https://www.vulncheck.com/advisories/majordomo-supply-chain-remote-code-execution-via-update-url-poisoningFix: 8 security vulnerabilities (3 RCE, 1 module uninstall, 1 SQLi, 2 stored XSS, 1 reflected XSS)
Fix merged in sergejey/majordomo PR #1177 on 2026-02-18 — awaiting tagged release
https://github.com/sergejey/majordomo/pull/1177MajorDoMo Revisited: What I Missed in 2023 - Chocapikk's Cybersecurity Blog
https://chocapikk.com/posts/2026/majordomo-revisited/Weakness Classification(1)
MITRE Common Weakness Enumeration — the root-cause categories this CVE belongs to.
Data Freshness Timeline
(refreshed 9× in last 7d / 24× in last 30d)
Each row is a source pipeline that fetched or updated this CVE on that date, with what changed. For example, "NVD update" means NVD published or revised its analysis for this CVE; "MITRE cvelistV5" means we ingested or refreshed it from the CNA feed. Most recent first.
- 2026-07-11 08:27 UTCEPSS rescore
- 2026-07-09 19:10 UTCEPSS rescore
- 2026-07-08 15:15 UTCEPSS rescore
- 2026-07-08 15:15 UTCEPSS rescore
- 2026-07-07 13:46 UTCEPSS rescore
- 2026-07-06 16:27 UTCEPSS rescore
- 2026-07-06 16:27 UTCEPSS rescore
- 2026-07-06 02:23 UTCEPSS rescore
- 2026-07-06 02:23 UTCEPSS rescore
- 2026-07-05 02:30 UTCEPSS rescore
- 2026-07-04 06:31 UTCEPSS rescore
- 2026-07-04 06:31 UTCEPSS rescore
- 2026-07-01 15:06 UTCEPSS rescore
- 2026-07-01 15:06 UTCEPSS rescore
- 2026-06-30 23:22 UTCEPSS rescore
- 2026-06-30 23:22 UTCEPSS rescore
- 2026-06-29 14:06 UTCEPSS rescore
- 2026-06-28 14:07 UTCEPSS rescore
- 2026-06-28 14:07 UTCEPSS rescore
- 2026-06-28 04:56 UTCEPSS rescore
- 2026-06-28 04:56 UTCEPSS rescore
- 2026-06-27 03:25 UTCEG score recompute
- 2026-06-27 03:24 UTCGHSA enrichment
- 2026-06-27 03:17 UTCMITRE cvelistV5first tracked
Publicly available exploits
(1 reference)Working exploit code is in the public domain (1 Metasploit module). Defenders should treat patch urgency accordingly — public PoCs typically lead to mass-exploitation within 24-72 hours.
- Metasploitexploit/multi/http/majordomo_supply_chain_rce✓ verifiedFirst seen Feb 18, 2026
MajorDoMo Supply Chain RCE via Update Poisoning
Open source ↗
Frequently asked(5)
What is CVE-2026-27180?
When was CVE-2026-27180 disclosed?
Is CVE-2026-27180 actively exploited?
What is the CVSS score of CVE-2026-27180?
How do I remediate CVE-2026-27180?
Dependency Blast Radius
Explore the affected products and dependency analysis for CVE-2026-27180
Is Your Infrastructure Affected by CVE-2026-27180?
EchelonGraph automatically scans your cloud infrastructure and maps CVE exposure using blast radius analysis.