CVE Search Engine - Security Vulnerabilities and Exploits Search Tool

show all

143 matches found

MajorDoMo - Cross-Site Scripting

MajorDoMo contains a reflected XSS caused by unsanitized $qry parameter in command.php, letting attackers inject arbitrary JavaScript via crafted URLs, exploit requires victim to visit malicious URL. id: CVE-2026-27176 info: name: MajorDoMo - Cross-Site Scripting author: DhiyaneshDk severity:...

6.1CVSS5.9AI score0.00095EPSS

Exploits1References1

Nuclei•added 3 days ago•74 views

MajorDoMo thumb.php - OS Command Injection

MajorDoMo aka Major Domestic Module before 0662e5e allows command execution via thumb.php shell metacharacters. NOTE: this is unrelated to the Majordomo mailing-list manager. id: CVE-2023-50917 info: name: MajorDoMo thumb.php - OS Command Injection author: DhiyaneshDK severity: critical...

9.8CVSS7.4AI score0.92637EPSS

Exploits6References5

Nuclei•added 3 days ago•0 views

MajorDoMo - Unauthenticated RCE

MajorDoMo contains a remote code execution caused by an include order bug and lack of exit after redirect in admin panel's PHP console, letting unauthenticated attackers execute arbitrary PHP code via crafted GET requests. id: CVE-2026-27174 info: name: MajorDoMo - Unauthenticated RCE author:...

9.8CVSS6.8AI score0.85411EPSS

Exploits4References4

VulnCheck KEV•added 2026/04/18 12:0 a.m.•4 views

VulnCheck KEV: CVE-2026-27174

MajorDoMo aka Major Domestic Module allows unauthenticated remote code execution via the admin panel's PHP console feature. An include order bug in modules/panel.class.php causes execution to continue past a redirect call that lacks an exit statement, allowing unauthenticated requests to reach th...

9.8CVSS6.7AI score0.85411EPSS

In wildExploits4References26

VulnCheck KEV•added 2026/04/13 12:0 a.m.•8 views

VulnCheck KEV: CVE-2026-27175

MajorDoMo aka Major Domestic Module is vulnerable to unauthenticated OS command injection via rc/index.php. The $param variable from user input is interpolated into a command string within double quotes without sanitization via escapeshellarg. The command is inserted into a database queue by...

9.8CVSS6.5AI score0.25968EPSS

In wildExploits3References2

Packet Storm•added 2026/03/06 12:0 a.m.•106 views

📄 MajorDoMo Remote Code Execution

A critical vulnerability in the MajorDoMo web console allows unauthenticated remote attackers to execute arbitrary system commands on the target server. By sending crafted requests to the /admin.php endpoint with manipulated console parameters, an attacker can inject and execute PHP code remotely...

9.8CVSS6.2AI score0.85411EPSS

Exploits4

Metasploit•added 2026/03/02 6:58 p.m.•177 views

MajorDoMo Console Eval Unauthenticated RCE

This module exploits an unauthenticated remote code execution vulnerability in MajorDoMo, an open-source home automation platform. The admin panel's PHP console is accessible without authentication due to a missing exit after redirect in modules/panel.class.php. The redirect"/" call intended to...

9.8CVSS6.3AI score0.85411EPSS

Exploits4

Metasploit•added 2026/03/02 6:58 p.m.•188 views

MajorDoMo Remote Command Injection via cycle_execs Race Condition

This module exploits an unauthenticated command injection vulnerability in MajorDoMo's remote command handler rc/index.php. The param parameter is interpolated into double quotes without escapeshellarg, and the resulting string is passed to safeexec which inserts it into the safeexecs database...

9.8CVSS5.8AI score0.25968EPSS

Exploits3

Metasploit•added 2026/03/02 6:58 p.m.•209 views

MajorDoMo Supply Chain RCE via Update Poisoning

This module exploits an unauthenticated remote code execution vulnerability in MajorDoMo's saverestore module via supply chain poisoning. The saverestore module's admin method is reachable without authentication through the /objects/?module=saverestore endpoint because usual calls admin directly...

9.8CVSS6.3AI score0.48797EPSS

Exploits4

GithubExploit•added 2026/03/02 8:20 a.m.•137 views

Exploit for SQL Injection in Mjdm Majordomo

CVE-2026-27179 Proof of Concept Academic & Defensive Resea...

9.8CVSS7.2AI score0.62808EPSS

Exploits39

Packet Storm•added 2026/03/02 12:0 a.m.•93 views

📄 MajorDoMo Remote Command Injection / Race Condition

This Metasploit module exploits an unauthenticated command injection vulnerability in MajorDoMos remote command handler rc/index.php. The param parameter is interpolated into double quotes without escapeshellarg, and the resulting string is passed to safeexec which inserts it into the safeexecs...

9.8CVSS5.9AI score0.25968EPSS

Exploits3

Packet Storm•added 2026/03/02 12:0 a.m.•125 views

📄 MajorDoMo Supply Chain Remote Code Execution

This Metasploit module exploits an unauthenticated remote code execution vulnerability in MajorDoMo's saverestore module via supply chain poisoning. This module requires Metasploit: https://metasploit.com/download Current source: https://github.com/rapid7/metasploit-framework require...

9.8CVSS6.5AI score0.48797EPSS

Exploits4

Packet Storm•added 2026/03/02 12:0 a.m.•106 views

📄 MajorDoMo Console Eval Unauthenticated Remote Code Execution

This Metasploit module exploits an unauthenticated remote code execution vulnerability in MajorDoMo, an open-source home automation platform. The admin panels PHP console is accessible without authentication due to a missing exit after redirect in modules/panel.class.php. The redirect"/" call...

9.8CVSS6.5AI score0.85411EPSS

Exploits4

RedhatCVE•added 2026/02/20 1:22 a.m.•3 views

CVE-2026-27177

MajorDoMo aka Major Domestic Module contains a stored cross-site scripting XSS vulnerability via the /objects/?op=set endpoint, which is intentionally unauthenticated for IoT device integration. User-supplied property values are stored raw in the database without sanitization. When an administrat...

7.2CVSS5.2AI score0.00047EPSS

Exploits1References1

RedhatCVE•added 2026/02/20 1:22 a.m.•1 views

CVE-2026-27176

MajorDoMo aka Major Domestic Module contains a reflected cross-site scripting XSS vulnerability in command.php. The $qry parameter is rendered directly into the HTML page without sanitization via htmlspecialchars, both in an input field value attribute and in a paragraph element. An attacker can...

6.1CVSS5.4AI score0.00095EPSS

Exploits1References1

RedhatCVE•added 2026/02/20 1:22 a.m.•2 views

CVE-2026-27174

9.8CVSS6.9AI score0.85411EPSS

Exploits4References1

RedhatCVE•added 2026/02/20 1:22 a.m.•2 views

CVE-2026-27181

MajorDoMo aka Major Domestic Module allows unauthenticated arbitrary module uninstallation through the market module. The market module's admin method reads gr'mode' from $REQUEST and assigns it to $this-mode at the start of execution, making all mode-gated code paths reachable without...

8.7CVSS5.8AI score0.00074EPSS

Exploits1References1

RedhatCVE•added 2026/02/20 1:22 a.m.•3 views

CVE-2026-27175

9.8CVSS6.6AI score0.25968EPSS

Exploits3References1

RedhatCVE•added 2026/02/20 1:22 a.m.•4 views

CVE-2026-27180

MajorDoMo aka Major Domestic Module is vulnerable to unauthenticated remote code execution through supply chain compromise via update URL poisoning. The saverestore module exposes its admin method through the /objects/?module=saverestore endpoint without authentication because it uses gr'mode'...

9.8CVSS6.8AI score0.48797EPSS

Exploits4References1

RedhatCVE•added 2026/02/20 1:22 a.m.•0 views

CVE-2026-27179

MajorDoMo aka Major Domestic Module contains an unauthenticated SQL injection vulnerability in the commands module. The commandssearch.inc.php file directly interpolates the $GET'parent' parameter into multiple SQL queries without sanitization or parameterized queries. The commands module is...

9.8CVSS6.1AI score0.00045EPSS

Exploits2References1

Rows per page

Query Builder

Family

Bulletin Type

Min CVSS Score

Date

Order by