Lucene search
K

144 matches found

NVD
NVD
added 2026/02/18 10:16 p.m.9 views

CVE-2026-27180

MajorDoMo aka Major Domestic Module is vulnerable to unauthenticated remote code execution through supply chain compromise via update URL poisoning. The saverestore module exposes its admin method through the /objects/?module=saverestore endpoint without authentication because it uses gr'mode'...

9.8CVSS0.01086EPSS
Exploits4References3
NVD
NVD
added 2026/02/18 10:16 p.m.11 views

CVE-2026-27174

MajorDoMo aka Major Domestic Module allows unauthenticated remote code execution via the admin panel's PHP console feature. An include order bug in modules/panel.class.php causes execution to continue past a redirect call that lacks an exit statement, allowing unauthenticated requests to reach th...

9.8CVSS0.06996EPSS
Exploits4References3
NVD
NVD
added 2026/02/18 10:16 p.m.10 views

CVE-2026-27176

MajorDoMo aka Major Domestic Module contains a reflected cross-site scripting XSS vulnerability in command.php. The $qry parameter is rendered directly into the HTML page without sanitization via htmlspecialchars, both in an input field value attribute and in a paragraph element. An attacker can...

6.1CVSS0.00449EPSS
Exploits1References3
NVD
NVD
added 2026/02/18 10:16 p.m.8 views

CVE-2026-27177

MajorDoMo aka Major Domestic Module contains a stored cross-site scripting XSS vulnerability via the /objects/?op=set endpoint, which is intentionally unauthenticated for IoT device integration. User-supplied property values are stored raw in the database without sanitization. When an administrat...

7.2CVSS0.00196EPSS
Exploits1References3
NVD
NVD
added 2026/02/18 10:16 p.m.10 views

CVE-2026-27179

MajorDoMo aka Major Domestic Module contains an unauthenticated SQL injection vulnerability in the commands module. The commandssearch.inc.php file directly interpolates the $GET'parent' parameter into multiple SQL queries without sanitization or parameterized queries. The commands module is...

9.8CVSS0.00468EPSS
Exploits2References3
NVD
NVD
added 2026/02/18 10:16 p.m.7 views

CVE-2026-27178

MajorDoMo aka Major Domestic Module contains a stored cross-site scripting XSS vulnerability through method parameter injection into the shoutbox. The /objects/?method= endpoint allows unauthenticated execution of stored methods with attacker-controlled parameters. Default methods such as...

7.2CVSS0.00227EPSS
Exploits1References3
Cvelist
Cvelist
added 2026/02/18 9:10 p.m.25 views

CVE-2026-27180 MajorDoMo Supply Chain Remote Code Execution via Update URL Poisoning

MajorDoMo aka Major Domestic Module is vulnerable to unauthenticated remote code execution through supply chain compromise via update URL poisoning. The saverestore module exposes its admin method through the /objects/?module=saverestore endpoint without authentication because it uses gr'mode'...

9.8CVSS0.01086EPSS
Exploits4References3
Cvelist
Cvelist
added 2026/02/18 9:10 p.m.28 views

CVE-2026-27181 MajorDoMo Unauthenticated Module Uninstall via Market Endpoint

MajorDoMo aka Major Domestic Module allows unauthenticated arbitrary module uninstallation through the market module. The market module's admin method reads gr'mode' from $REQUEST and assigns it to $this-mode at the start of execution, making all mode-gated code paths reachable without...

8.7CVSS0.00708EPSS
Exploits1References3
CVE
CVE
added 2026/02/18 9:10 p.m.25 views

CVE-2026-27180

CVE-2026-27180 — MajorDoMo supply chain RCE : Affected MajorDoMo allows unauthenticated remote code execution via a poisoned update URL. The saverestore admin endpoint at /objects/?module=saverestore is exposed because gr('mode') reads from $_REQUEST instead of the framework’s mode, enabling an a...

9.8CVSS6.8AI score0.01086EPSS
Exploits4References3Affected Software1
Vulnrichment
Vulnrichment
added 2026/02/18 9:10 p.m.3 views

CVE-2026-27181 MajorDoMo Unauthenticated Module Uninstall via Market Endpoint

MajorDoMo aka Major Domestic Module allows unauthenticated arbitrary module uninstallation through the market module. The market module's admin method reads gr'mode' from $REQUEST and assigns it to $this-mode at the start of execution, making all mode-gated code paths reachable without...

8.7CVSS5.8AI score0.00708EPSS
Exploits1References3
CVE
CVE
added 2026/02/18 9:10 p.m.12 views

CVE-2026-27181

MajorDoMo is affected by an unauthenticated module-uninstall vulnerability via the market endpoint. The market/admin flow reads gr('mode') from $_REQUEST and sets $this->mode before authentication, making all mode-gated paths reachable through /objects/?module=market. The uninstall handler cal...

8.7CVSS5.8AI score0.00708EPSS
Exploits1References3Affected Software1
Vulnrichment
Vulnrichment
added 2026/02/18 9:10 p.m.4 views

CVE-2026-27179 MajorDoMo Unauthenticated SQL Injection in Commands Module

MajorDoMo aka Major Domestic Module contains an unauthenticated SQL injection vulnerability in the commands module. The commandssearch.inc.php file directly interpolates the $GET'parent' parameter into multiple SQL queries without sanitization or parameterized queries. The commands module is...

8.8CVSS6.1AI score0.00468EPSS
Exploits2References3
Cvelist
Cvelist
added 2026/02/18 9:10 p.m.27 views

CVE-2026-27179 MajorDoMo Unauthenticated SQL Injection in Commands Module

MajorDoMo aka Major Domestic Module contains an unauthenticated SQL injection vulnerability in the commands module. The commandssearch.inc.php file directly interpolates the $GET'parent' parameter into multiple SQL queries without sanitization or parameterized queries. The commands module is...

8.8CVSS0.00468EPSS
Exploits2References3
CVE
CVE
added 2026/02/18 9:10 p.m.22 views

CVE-2026-27179

CVE-2026-27179 affects MajorDoMo’s commands module, where commands_search.inc.php interpolates $_GET['parent'] into SQL without sanitization or parameterization. The /objects/?module=commands endpoint is loadable without authentication, enabling arbitrary module calls via their usual() method. Th...

9.8CVSS6.1AI score0.00468EPSS
Exploits2References3Affected Software1
CVE
CVE
added 2026/02/18 9:10 p.m.16 views

CVE-2026-27178

CVE-2026-27178 (MajorDoMo) is a stored XSS vulnerability in MajorDoMo exposed via the /objects/?method= endpoint, permitting unauthenticated execution of stored methods with attacker-controlled parameters. The issue arises when default methods (e.g., ThisComputer.VolumeLevelChanged) pass the VALU...

7.2CVSS5.5AI score0.00227EPSS
Exploits1References3Affected Software1
Vulnrichment
Vulnrichment
added 2026/02/18 9:10 p.m.6 views

CVE-2026-27178 MajorDoMo Stored Cross-Site Scripting via Method Parameters to Shoutbox

MajorDoMo aka Major Domestic Module contains a stored cross-site scripting XSS vulnerability through method parameter injection into the shoutbox. The /objects/?method= endpoint allows unauthenticated execution of stored methods with attacker-controlled parameters. Default methods such as...

7.2CVSS5.5AI score0.00227EPSS
Exploits1References3
Vulnrichment
Vulnrichment
added 2026/02/18 9:10 p.m.4 views

CVE-2026-27177 MajorDoMo Stored Cross-Site Scripting via Property Set Endpoint

MajorDoMo aka Major Domestic Module contains a stored cross-site scripting XSS vulnerability via the /objects/?op=set endpoint, which is intentionally unauthenticated for IoT device integration. User-supplied property values are stored raw in the database without sanitization. When an administrat...

7.2CVSS5.2AI score0.00196EPSS
Exploits1References3
Cvelist
Cvelist
added 2026/02/18 9:10 p.m.23 views

CVE-2026-27177 MajorDoMo Stored Cross-Site Scripting via Property Set Endpoint

MajorDoMo aka Major Domestic Module contains a stored cross-site scripting XSS vulnerability via the /objects/?op=set endpoint, which is intentionally unauthenticated for IoT device integration. User-supplied property values are stored raw in the database without sanitization. When an administrat...

7.2CVSS0.00196EPSS
Exploits1References3
Vulnrichment
Vulnrichment
added 2026/02/18 9:10 p.m.5 views

CVE-2026-27176 MajorDoMo Reflected Cross-Site Scripting in command.php

MajorDoMo aka Major Domestic Module contains a reflected cross-site scripting XSS vulnerability in command.php. The $qry parameter is rendered directly into the HTML page without sanitization via htmlspecialchars, both in an input field value attribute and in a paragraph element. An attacker can...

6.1CVSS5.4AI score0.00449EPSS
Exploits1References3
CVE
CVE
added 2026/02/18 9:10 p.m.19 views

CVE-2026-27176

MajorDoMo (Major Domestic Module) has a reflected XSS in command.php. The $qry parameter is rendered directly into the HTML page without sanitization via htmlspecialchars(), both in an input field value attribute and in a paragraph element. An attacker can inject arbitrary JavaScript by crafting ...

6.1CVSS5.4AI score0.00449EPSS
Exploits1References3Affected Software1
Rows per page
Query Builder