CVE-2026-27174

CRITICAL EXPLOITED NUCLEI

MajorDoMo - Unauthenticated Remote Code Execution via Admin Console Eval

Title source: llm
STIX 2.1

Exploitation Summary

CVE-2026-27174 has been observed exploited in the wild (reported by VulnCheck KEV). EIP tracks 3 public exploits from researchers including XiaomingX, MaxMnMl, including a Metasploit module exploits/multi/http/majordomo_console_eval_rce. A Nuclei detection template is also available.

AI-analyzed exploit summary This repository contains a functional proof-of-concept exploit for CVE-2026-27174, an unauthenticated remote code execution vulnerability in MajorDomo's admin panel. The exploit leverages a missing exit after authentication redirect, allowing arbitrary PHP code execution via an exposed eval() function in the AJAX handler.

Description

MajorDoMo (aka Major Domestic Module) allows unauthenticated remote code execution via the admin panel's PHP console feature. An include order bug in modules/panel.class.php causes execution to continue past a redirect() call that lacks an exit statement, allowing unauthenticated requests to reach the ajax handler in inc_panel_ajax.php. The console handler within that file passes user-supplied input from GET parameters (via register_globals) directly to eval() without any authentication check. An attacker can execute arbitrary PHP code by sending a crafted GET request to /admin.php with ajax_panel, op, and command parameters.

Exploits (3)

github WORKING POC 10 stars
by XiaomingX · pythonpoc
https://github.com/XiaomingX/data-cve-poc-py-v1/tree/main/2026/CVE-2026-27174

This repository contains a functional proof-of-concept exploit for CVE-2026-27174, an unauthenticated remote code execution vulnerability in MajorDomo's admin panel. The exploit leverages a missing exit after authentication redirect, allowing arbitrary PHP code execution via an exposed eval() function in the AJAX handler.

Classification
Working Poc 95%
Attack Type
Rce
Complexity
Trivial
Reliability
Reliable
Target: MajorDomo (Major Domestic Module) versions prior to February 18, 2026 patch
No auth needed
Prerequisites: Network access to the target's admin panel
devstral-2 · analyzed Feb 27, 2026 Full analysis →
nomisec WORKING POC
by MaxMnMl · remote
https://github.com/MaxMnMl/majordomo-CVE-2026-27174-poc

This repository contains a functional proof-of-concept exploit for CVE-2026-27174, an unauthenticated remote code execution vulnerability in MajorDomo's admin panel. The exploit leverages a missing exit after authentication redirect, allowing arbitrary PHP code execution via an exposed eval() function in the AJAX handler.

Classification
Working Poc 95%
Attack Type
Rce
Complexity
Trivial
Reliability
Reliable
Target: MajorDomo (Major Domestic Module) versions prior to February 18, 2026 patch
No auth needed
Prerequisites: Network access to the target's admin panel
devstral-2 · analyzed Feb 26, 2026 Full analysis →
metasploit WORKING POC EXCELLENT
rubypocphp
https://github.com/rapid7/metasploit-framework/blob/master/modules/exploits/multi/http/majordomo_console_eval_rce.rb

This Metasploit module exploits an unauthenticated RCE vulnerability in MajorDoMo by leveraging a missing exit statement after a redirect, allowing direct eval() execution of PHP code via GET parameters.

Classification
Working Poc 100%
Attack Type
Rce
Complexity
Trivial
Reliability
Reliable
Target: MajorDoMo (all versions up to latest)
No auth needed
Prerequisites: Network access to MajorDoMo admin panel
devstral-2 · analyzed Mar 02, 2026 Full analysis →

Nuclei Templates (1)

MajorDoMo - Unauthenticated RCE
CRITICALVERIFIEDby 0x_Akoko
Shodan: http.html:"templates/application.html"
FOFA: body="templates/application.html"

References (3)

Core 3

Scores

CVSS v3 9.8
EPSS 0.8541
EPSS Percentile 99.4%
Attack Vector NETWORK
CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H

CISA SSVC

Vulnrichment
Exploitation poc
Automatable yes
Technical Impact total

Details

VulnCheck KEV 2026-04-18
CWE
CWE-94
Status published
Products (1)
mjdm/majordomo
Published Feb 18, 2026
Tracked Since Feb 19, 2026