CVE-2026-27179 identifies a critical SQL injection vulnerability in the MajorDoMo home automation platform developed by sergejey. The vulnerability resides in the commands module, specifically in the commands_search.inc.php file, where the 'parent' parameter from HTTP GET requests is directly embedded into multiple SQL queries without any input validation, sanitization, or use of parameterized queries. This improper neutralization of special elements allows attackers to inject arbitrary SQL code. The commands module can be loaded without authentication via the /objects/?module=commands endpoint, which dynamically includes modules by name and invokes their usual() method, exposing the vulnerable code to unauthenticated users. Attackers can exploit this flaw using time-based blind SQL injection techniques, such as UNION SELECT SLEEP(), to infer data from the database. Because MajorDoMo stores administrator passwords as unsalted MD5 hashes in the users table, attackers can extract these hashes and perform offline cracking to obtain admin credentials. Successful exploitation grants full administrative access to the platform, enabling attackers to manipulate home automation controls, access sensitive data, or pivot further into the network. The vulnerability affects all versions of MajorDoMo (version 0 listed), and no patches or official fixes are currently available. The CVSS 4.0 score of 8.8 reflects the vulnerability's ease of exploitation (no authentication or user interaction required), high impact on confidentiality and integrity, and broad scope of affected systems. Although no known exploits have been reported in the wild yet, the vulnerability poses a significant threat to any deployment of MajorDoMo.

For European organizations using MajorDoMo, this vulnerability presents a severe risk to the confidentiality, integrity, and availability of their home automation systems. Exploitation can lead to unauthorized disclosure of sensitive data, including administrator credentials, enabling attackers to gain full control over the platform. This could result in manipulation of connected devices, disruption of automated processes, and potential privacy violations. In environments where MajorDoMo controls critical infrastructure or safety systems (e.g., smart buildings, healthcare facilities, or industrial automation), the impact could extend to physical safety risks and operational downtime. The lack of authentication requirement and the ability to exploit remotely increase the likelihood of attacks, especially in organizations with externally accessible MajorDoMo instances. Additionally, the use of weak password hashing (unsalted MD5) exacerbates the risk by facilitating credential compromise. European entities relying on MajorDoMo for smart home or building automation should consider this vulnerability a critical threat to their cybersecurity posture.

Given the absence of official patches, European organizations should implement immediate compensating controls. First, restrict external network access to the MajorDoMo platform by enforcing strict firewall rules and network segmentation to limit exposure to untrusted networks. Disable or restrict access to the vulnerable commands module endpoint (/objects/?module=commands) if possible. Implement Web Application Firewall (WAF) rules to detect and block SQL injection patterns, particularly those involving the 'parent' parameter and time-based injection techniques. Conduct a thorough audit of user credentials and enforce password resets with strong, salted hashing algorithms to replace unsalted MD5 hashes. Monitor logs for unusual SQL query patterns or repeated requests to the vulnerable endpoint. If feasible, deploy intrusion detection systems tuned to detect SQL injection attempts. Engage with the vendor or community to obtain or develop patches or updates that properly sanitize inputs and implement parameterized queries. Finally, educate administrators on the risks and ensure regular backups are maintained to enable recovery in case of compromise.