CVE-2026-27179 is an unauthenticated SQL injection vulnerability found in the MajorDoMo (Major Domestic Module) home automation platform developed by sergejey. The flaw resides in the commands module, specifically in the commands_search.inc.php file, where the $_GET['parent'] parameter is directly embedded into multiple SQL queries without any input sanitization or use of parameterized queries. The commands module can be loaded without authentication through the /objects/?module=commands endpoint, which dynamically includes arbitrary modules by name and invokes their usual() method. This design flaw allows attackers to inject malicious SQL code, such as time-based blind SQL injection using UNION SELECT SLEEP() syntax, to infer database contents. Because MajorDoMo stores administrator passwords as unsalted MD5 hashes in the users table, attackers who successfully exploit this vulnerability can extract hashed credentials and potentially crack them offline to gain admin panel access. The vulnerability has a CVSS 4.0 base score of 8.8, reflecting its high severity due to network attack vector, no required privileges or user interaction, and high impact on confidentiality and integrity. Although no public exploits are currently known, the ease of exploitation and critical impact make this a significant threat to affected installations. The lack of available patches at the time of disclosure increases the urgency for mitigation.

The exploitation of CVE-2026-27179 can have severe consequences for organizations using MajorDoMo. Attackers can remotely execute SQL injection attacks without any authentication, allowing them to extract sensitive data from the backend database. This includes administrator credentials stored as unsalted MD5 hashes, which can be cracked offline to gain full administrative access to the MajorDoMo platform. With admin access, attackers can manipulate home automation settings, potentially causing physical security risks, privacy violations, and operational disruptions. The compromise of admin credentials also enables lateral movement within the network, increasing the risk of broader system compromise. The vulnerability threatens confidentiality by exposing sensitive user and system data, integrity by allowing unauthorized modifications, and availability if attackers disrupt system operations. Given MajorDoMo’s use in smart home and building automation, the impact extends beyond IT systems to physical environments, making this a critical security risk.

To mitigate CVE-2026-27179, organizations should immediately restrict access to the /objects/?module=commands endpoint by implementing network-level controls such as firewalls or VPNs to limit exposure to trusted users only. Input validation and sanitization must be enforced on all user-supplied parameters, especially $_GET['parent'], to prevent injection of malicious SQL code. Developers should refactor the commands module to use parameterized queries or prepared statements instead of direct string interpolation. Since no official patches are currently available, consider disabling or removing the vulnerable commands module if feasible until a fix is released. Additionally, upgrade password storage mechanisms by migrating from unsalted MD5 hashes to strong, salted hashing algorithms like bcrypt or Argon2 to reduce credential cracking risks. Monitor logs for suspicious SQL injection attempts and unauthorized access patterns. Conduct regular security assessments and penetration tests focusing on web application endpoints. Finally, maintain an incident response plan to quickly address any detected exploitation attempts.