CVE-2026-27175 is a pre-authentication OS command injection vulnerability (CVSS 9.8, CWE-78) in MajorDoMo, an open-source smart home automation platform; CISA has confirmed active exploitation and added this to the KEV catalog (EPSS 96th percentile). The vulnerability chain involves unsanitized user input passed through safe_exec() into a database-backed command queue, dequeued by a publicly accessible cycle_execs.php endpoint with no authentication, enabling code execution within approximately one second via a race condition. Any internet-exposed MajorDoMo instance should be treated as compromised pending containment; organizations should immediately block access to rc/index.php and cycle_execs.php at the perimeter and check the MajorDoMo project repository for patch availability.