CVE-2026-27181
Received Received - Intake
Unauthenticated Arbitrary Module Uninstallation in MajorDoMo

Publication date: 2026-02-18

Last updated on: 2026-02-20

Assigner: VulnCheck

Description
MajorDoMo (aka Major Domestic Module) allows unauthenticated arbitrary module uninstallation through the market module. The market module's admin() method reads gr('mode') from $_REQUEST and assigns it to $this->mode at the start of execution, making all mode-gated code paths reachable without authentication via the /objects/?module=market endpoint. The uninstall mode handler calls uninstallPlugin(), which deletes module records from the database, executes the module's uninstall() method via eval(), recursively deletes the module's directory and template files using removeTree(), and removes associated cycle scripts. An attacker can iterate through module names and wipe the entire MajorDoMo installation with a series of unauthenticated GET requests.
CVSS Scores
EPSS Scores
Probability:
Percentile:
Meta Information
Published
2026-02-18
Last Modified
2026-02-20
Generated
2026-06-16
AI Q&A
2026-02-19
EPSS Evaluated
2026-06-14
NVD
CVE-2026-27181
EUVD
EUVD-2026-7933
Affected Vendors & Products
Showing 1 associated CPE
Vendor Product Version / Range
mjdm majordomo *
Helpful Resources
Exploitability
CWE
CWE Icon
KEV
KEV Icon
CWE ID Description
CWE-862 The product does not perform an authorization check when an actor attempts to access a resource or perform an action.
Attack-Flow Graph
AI Quick Actions
Instant insights powered by AI
Executive Summary

This vulnerability in MajorDoMo allows an attacker to uninstall any module without authentication by exploiting the market module's admin() method. The method reads a 'mode' parameter from user input and assigns it internally, enabling access to all mode-restricted code paths without needing to log in. Specifically, the 'uninstall' mode calls a function that deletes module records from the database, runs the module's uninstall code, removes its files and templates, and deletes related scripts. An attacker can use unauthenticated GET requests to iterate through module names and completely wipe the MajorDoMo installation.

Impact Analysis

The vulnerability can lead to a complete denial of service by allowing an attacker to uninstall all modules of the MajorDoMo system without any authentication. This results in the deletion of database records, module files, templates, and associated scripts, effectively wiping out the entire installation and disrupting all functionalities dependent on those modules.

Compliance Impact

I don't know

Detection Guidance

I don't know

Mitigation Strategies

I don't know

Chat Assistant
Ask questions about this CVE
Hi! I’m here to help you understand CVE-2026-27181. Ask me anything about the vulnerability, its impact, or mitigation strategies.
0/70
EPSS Chart