CVE-2026-27470

Name of the Vulnerable Software and Affected Versions ZoneMinder versions 1.36.37 and below ZoneMinder versions 1.37.61 through 1.38.0

Description ZoneMinder is a free, open source closed-circuit television software application. A second-order SQL Injection issue exists in the web/ajax/status.php file within the getNearEvents() function. Event field values, specifically Name and Cause, are initially stored securely using parameterized queries. However, these values are later retrieved and directly concatenated into SQL WHERE clauses without proper escaping, allowing for potential exploitation. An authenticated user with Events edit and view permissions can leverage this to execute arbitrary SQL queries.

Recommendations ZoneMinder versions 1.36.37 and below: At the moment, there is no information about a newer version that contains a fix for this vulnerability. ZoneMinder versions 1.37.61 through 1.38.0: At the moment, there is no information about a newer version that contains a fix for this vulnerability.