Exploitation Summary
EIP tracks 2 public exploits for CVE-2026-27179. PoCs published by XiaomingX, p3Nt3st3r-sTAr.
AI-analyzed exploit summary The repository contains obfuscated Python code using PyArmor, which is highly unusual for legitimate PoCs. The code is truncated and lacks any meaningful technical details about the vulnerability, suggesting deception.
Description
MajorDoMo (aka Major Domestic Module) contains an unauthenticated SQL injection vulnerability in the commands module. The commands_search.inc.php file directly interpolates the $_GET['parent'] parameter into multiple SQL queries without sanitization or parameterized queries. The commands module is loadable without authentication via the /objects/?module=commands endpoint, which includes arbitrary modules by name and calls their usual() method. Time-based blind SQL injection is exploitable using UNION SELECT SLEEP() syntax. Because MajorDoMo stores admin passwords as unsalted MD5 hashes in the users table, successful exploitation enables extraction of credentials and subsequent admin panel access.
Exploits (2)
The repository contains obfuscated Python code using PyArmor, which is highly unusual for legitimate PoCs. The code is truncated and lacks any meaningful technical details about the vulnerability, suggesting deception.
The repository contains an obfuscated Python script using PyArmor, which is highly suspicious and indicative of malicious intent. The lack of readable exploit code and the use of obfuscation suggest this is a deceptive payload rather than a legitimate PoC.
References (3)
Scores
CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:L/A:N