CVE-2026-27174 is a severe code injection vulnerability affecting MajorDoMo, an open-source home automation platform developed by sergejey. The root cause is an include order bug in the file modules/panel.class.php, where a redirect() call intended to prevent unauthorized access lacks an exit statement, allowing execution to continue. This flaw permits unauthenticated HTTP requests to reach the ajax handler in inc_panel_ajax.php. Within this handler, the console feature processes user input from GET parameters (ajax_panel, op, and command) and directly passes these inputs to PHP's eval() function via the legacy register_globals mechanism without any authentication or input validation. This results in arbitrary PHP code execution on the server. The vulnerability requires no privileges or user interaction, making it trivially exploitable remotely. The CVSS 4.0 vector (AV:N/AC:L/AT:N/PR:N/UI:N/VC:H/VI:H/VA:H/SC:N/SI:N/SA:N) indicates network attack vector, low complexity, no authentication or user interaction, and high impact on confidentiality, integrity, and availability. Although no public exploits are currently known, the vulnerability's nature and ease of exploitation make it a critical threat. The affected version is listed as '0', which likely refers to early or default versions of MajorDoMo. The lack of an official patch link suggests that users must monitor vendor advisories closely. This vulnerability allows attackers to fully compromise affected systems, potentially leading to data theft, system manipulation, or pivoting within networks.

The impact of CVE-2026-27174 is severe for organizations using MajorDoMo in their home or building automation environments. Successful exploitation grants attackers full remote code execution capabilities without authentication, enabling complete system compromise. This can lead to unauthorized access to sensitive data, manipulation or disruption of automation controls, and potential use of the compromised system as a foothold for lateral movement within internal networks. The breach of confidentiality, integrity, and availability can result in privacy violations, operational downtime, and safety risks, especially if critical automation functions are controlled. Given the nature of MajorDoMo as a domestic module, affected systems may be deployed in residential, commercial, or industrial settings, amplifying the potential consequences. The ease of exploitation and network accessibility make this vulnerability attractive to attackers, increasing the likelihood of targeted or opportunistic attacks. Organizations worldwide relying on MajorDoMo should consider this a high-priority threat requiring immediate attention.

To mitigate CVE-2026-27174, organizations should take the following specific actions: 1) Immediately check for and apply any official patches or updates released by the MajorDoMo project addressing this vulnerability. 2) If patches are not yet available, restrict network access to the /admin.php endpoint, especially the ajax_panel functionality, by implementing firewall rules or network segmentation to limit exposure only to trusted administrators. 3) Disable or remove the PHP console feature within MajorDoMo if it is not essential, reducing the attack surface. 4) Implement web application firewalls (WAFs) with custom rules to detect and block suspicious GET requests containing code injection patterns targeting the ajax_panel parameters. 5) Monitor server logs for unusual or unauthorized access attempts to /admin.php and related ajax handlers. 6) Consider deploying runtime application self-protection (RASP) solutions that can detect and prevent eval() based code injection at runtime. 7) Educate administrators on the risks of exposing administrative interfaces publicly and enforce strong access controls and authentication mechanisms. 8) Review and disable legacy PHP features like register_globals if possible, as they contribute to the vulnerability. These targeted mitigations go beyond generic advice by focusing on the specific vulnerable components and attack vectors involved.