CVE-2026-27180— MajorDoMo Supply Chain Remote Code Execution via Update URL Poisoning
Get alerts for future matching vulnerabilitiesLog in to subscribe
I. Basic Information for CVE-2026-27180
Vulnerability Information
Have questions about the vulnerability? See if Shenlong's analysis helps!
View Shenlong Deep Dive ↗ Although we use advanced large model technology, its output may still contain inaccurate or outdated information.Shenlong tries to ensure data accuracy, but please verify and judge based on the actual situation.
Vulnerability Title
MajorDoMo Supply Chain Remote Code Execution via Update URL Poisoning
Source: NVD (National Vulnerability Database)
Vulnerability Description
MajorDoMo (aka Major Domestic Module) is vulnerable to unauthenticated remote code execution through supply chain compromise via update URL poisoning. The saverestore module exposes its admin() method through the /objects/?module=saverestore endpoint without authentication because it uses gr('mode') (which reads directly from $_REQUEST) instead of the framework's $this->mode. An attacker can poison the system update URL via the auto_update_settings mode handler, then trigger the force_update handler to initiate the update chain. The autoUpdateSystem() method fetches an Atom feed from the attacker-controlled URL with trivial validation, downloads a tarball via curl with TLS verification disabled (CURLOPT_SSL_VERIFYPEER set to FALSE), extracts it using exec('tar xzvf ...'), and copies all extracted files to the document root using copyTree(). This allows an attacker to deploy arbitrary PHP files, including webshells, to the webroot with two GET requests.
Source: NVD (National Vulnerability Database)
CVSS Information
CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H
Source: NVD (National Vulnerability Database)
Vulnerability Type
下载代码缺少完整性检查
Source: NVD (National Vulnerability Database)
Vulnerability Title
MajorDoMo 安全漏洞
Source: CNNVD (China National Vulnerability Database)
Vulnerability Description
MajorDoMo是MajorDoMo社区的一个开源DIY智能家居自动化平台。 MajorDoMo存在安全漏洞,该漏洞源于saverestore模块通过/objects/?module=saverestore端点公开其admin()方法而无需身份验证,攻击者可毒化系统更新URL,然后触发force_update处理程序来启动更新链,该方法从攻击者控制的URL获取Atom源,下载tarball,提取并复制所有提取的文件到文档根目录,可能导致远程代码执行。
Source: CNNVD (China National Vulnerability Database)
CVSS Information
N/A
Source: CNNVD (China National Vulnerability Database)
Vulnerability Type
N/A
Source: CNNVD (China National Vulnerability Database)
Shenlong Deep Dive — AI Deep Analysis
10-question deep dive: root cause, exploitation, mitigation, urgency. Read summary free, full version requires login.
Affected Products
II. Public POCs for CVE-2026-27180
| # | POC Description | Source Link | Shenlong Link |
|---|---|---|---|
| 1 | None | https://github.com/mbanyamer/CVE-2026-27180-MajorDoMo-unauthenticated-RCE | POC Details |
AI-Generated POCPremium
No public POC found.
Login to generate AI POCIII. Intelligence Information for CVE-2026-27180
请登录查看更多情报信息。
- MajorDoMo Revisited: What I Missed in 2023 - Chocapikk's Cybersecurity Blogthird-party-advisory
- https://nvd.nist.gov/vuln/detail/CVE-2026-27180
Same Patch Batch · sergejey · 2026-02-18 · 8 CVEs total
| CVE-2026-27175 | 9.8 CRITICAL | MajorDoMo Command Injection in rc/index.php via Race Condition |
| CVE-2026-27174 | 9.8 CRITICAL | MajorDoMo Unauthenticated Remote Code Execution via Admin Console Eval |
| CVE-2026-27179 | 8.2 HIGH | MajorDoMo Unauthenticated SQL Injection in Commands Module |
| CVE-2026-27181 | 7.5 HIGH | MajorDoMo Unauthenticated Module Uninstall via Market Endpoint |
| CVE-2026-27177 | 7.2 HIGH | MajorDoMo Stored Cross-Site Scripting via Property Set Endpoint |
| CVE-2026-27178 | 7.2 HIGH | MajorDoMo Stored Cross-Site Scripting via Method Parameters to Shoutbox |
| CVE-2026-27176 | 6.1 MEDIUM | MajorDoMo Reflected Cross-Site Scripting in command.php |
IV. Related Vulnerabilities
Same product: MajorDoMo
- CVE-2026-27181
MajorDoMo Unauthenticated Module Uninstall via Market Endpoi - CVE-2026-27179
MajorDoMo Unauthenticated SQL Injection in Commands Module - CVE-2026-27177
MajorDoMo Stored Cross-Site Scripting via Property Set Endpo - CVE-2026-27178
MajorDoMo Stored Cross-Site Scripting via Method Parameters - CVE-2026-27176
MajorDoMo Reflected Cross-Site Scripting in command.php
Same vendor: sergejey
- CVE-2026-27181
MajorDoMo Unauthenticated Module Uninstall via Market Endpoi - CVE-2026-27179
MajorDoMo Unauthenticated SQL Injection in Commands Module - CVE-2026-27177
MajorDoMo Stored Cross-Site Scripting via Property Set Endpo - CVE-2026-27178
MajorDoMo Stored Cross-Site Scripting via Method Parameters - CVE-2026-27176
MajorDoMo Reflected Cross-Site Scripting in command.php
Same weakness: CWE-494
- CVE-2026-42249
Remote Code Execution in Ollama via Update Mechanism - CVE-2026-42248
Missing Signature Verification for Updates in Ollama - CVE-2026-40066
Anviz Products Download of Code Without Integrity Check - CVE-2026-3428
ASUS Member Center 安全漏洞 - CVE-2026-34841
Axios npm Supply Chain Incident Impacting @usebruno/cli
V. Comments for CVE-2026-27180
No comments yet