Lucene search
K

9 matches found

Rapid7 Blog
Rapid7 Blog
added 2026/03/06 6:28 p.m.18 views

Metasploit Wrap-Up 03/06/2026

Encoder exposed! Some of our releases add new ways in; this one adds new ways to stay in. There are, of course, still new RCE toys in the box Tactical RMM via Jinja2 SSTI and an unauthenticated MajorDoMo exploit. Still, the underlying theme is payloads: more control over how they are packaged and...

9.8CVSS5.6AI score0.06872EPSS
Exploits7
RedhatCVE
RedhatCVE
added 2026/02/20 1:22 a.m.5 views

CVE-2026-27178

MajorDoMo aka Major Domestic Module contains a stored cross-site scripting XSS vulnerability through method parameter injection into the shoutbox. The /objects/?method= endpoint allows unauthenticated execution of stored methods with attacker-controlled parameters. Default methods such as...

7.2CVSS5.5AI score0.00227EPSS
Exploits1References1
GithubExploit
GithubExploit
added 2026/02/19 4:10 p.m.192 views

Exploit for CVE-2026-27180

MajorDoMo RCE !Authorhttps://img.shields.io/badge/Author-Mo...

9.8CVSS7.2AI score0.01086EPSS
Exploits4
NVD
NVD
added 2026/02/18 10:16 p.m.11 views

CVE-2026-27175

MajorDoMo aka Major Domestic Module is vulnerable to unauthenticated OS command injection via rc/index.php. The $param variable from user input is interpolated into a command string within double quotes without sanitization via escapeshellarg. The command is inserted into a database queue by...

9.8CVSS0.06872EPSS
Exploits3References3
Cvelist
Cvelist
added 2026/02/18 9:10 p.m.25 views

CVE-2026-27178 MajorDoMo Stored Cross-Site Scripting via Method Parameters to Shoutbox

MajorDoMo aka Major Domestic Module contains a stored cross-site scripting XSS vulnerability through method parameter injection into the shoutbox. The /objects/?method= endpoint allows unauthenticated execution of stored methods with attacker-controlled parameters. Default methods such as...

7.2CVSS0.00227EPSS
Exploits1References3
CVE
CVE
added 2026/02/18 9:10 p.m.23 views

CVE-2026-27177

MajorDoMo exposes a stored XSS via the /objects/?op=set endpoint, usable without authentication for IoT integration. User-supplied property values are stored raw and rendered unescaped in the admin property editor (SOURCE as a paragraph and VALUE in a textarea) on page load. The vulnerability als...

7.2CVSS5.2AI score0.00196EPSS
Exploits1References3Affected Software1
Vulnrichment
Vulnrichment
added 2026/02/18 9:10 p.m.3 views

CVE-2026-27175 MajorDoMo Command Injection in rc/index.php via Race Condition

MajorDoMo aka Major Domestic Module is vulnerable to unauthenticated OS command injection via rc/index.php. The $param variable from user input is interpolated into a command string within double quotes without sanitization via escapeshellarg. The command is inserted into a database queue by...

9.8CVSS6.6AI score0.06872EPSS
Exploits3References3
ATTACKERKB
ATTACKERKB
added 2026/02/18 9:10 p.m.2 views

CVE-2026-27174

MajorDoMo aka Major Domestic Module allows unauthenticated remote code execution via the admin panel's PHP console feature. An include order bug in modules/panel.class.php causes execution to continue past a redirect call that lacks an exit statement, allowing unauthenticated requests to reach th...

9.8CVSS6.7AI score0.06996EPSS
Exploits4References5
CNNVD
CNNVD
added 2024/04/30 12:0 a.m.4 views

MajorDoMo 安全漏洞

MajorDoMo is an open source DIY smart home automation platform from the MajorDoMo community. A security vulnerability exists in versions prior to MajorDoMo v.0662e5e. An attacker exploited the vulnerability to escalate privileges via the thumb/thumb.php component...

7.1CVSS7AI score0.00358EPSS
Exploits0References2
Rows per page
Query Builder