MajorDoMo, an open-source home automation platform, carries a CISA KEV-confirmed unauthenticated remote code execution vulnerability with no vendor patch released as of April 18, 2026. The flaw allows any unauthenticated attacker to execute arbitrary PHP code via a single crafted GET request to the admin panel. Operators must treat this as an immediate containment event, not a patch-cycle item.