Monitor vulnerabilities like this one.
Sign up free to get alerted when software you use is affected.
8.8
ZoneMinder: Unauthorized Access to Database Records
CVE-2026-27470
Summary
ZoneMinder, a software for monitoring CCTV cameras, has a security flaw. If an authorized user edits a camera event, they can access unauthorized data. To fix this, update to a safe version of ZoneMinder.
What to do
No fix is available yet. Check with your software vendor for updates.
Affected software
| Vendor | Product | Affected versions | Fix available |
|---|---|---|---|
| zoneminder | zoneminder | <= 1.36.38 | – |
| zoneminder | zoneminder | > 1.37.61 , <= 1.38.1 | – |
Original title
ZoneMinder is a free, open source closed-circuit television software application. In versions 1.36.37 and below and 1.37.61 through 1.38.0, there is a second-order SQL Injection vulnerability in th...
Original description
ZoneMinder is a free, open source closed-circuit television software application. In versions 1.36.37 and below and 1.37.61 through 1.38.0, there is a second-order SQL Injection vulnerability in the web/ajax/status.php file within the getNearEvents() function. Event field values (specifically Name and Cause) are stored safely via parameterized queries but are later retrieved and concatenated directly into SQL WHERE clauses without escaping. An authenticated user with Events edit and view permissions can exploit this to execute arbitrary SQL queries.
nvd CVSS3.1
8.8
Vulnerability type
CWE-89
SQL Injection
- https://github.com/ZoneMinder/zoneminder/releases/tag/1.36.38 Product Release Notes
- https://github.com/ZoneMinder/zoneminder/releases/tag/1.38.1 Product Release Notes
- https://github.com/ZoneMinder/zoneminder/security/advisories/GHSA-r6gm-478g-f2c4 Exploit Mitigation Vendor Advisory
- https://owasp.org/www-community/attacks/SQL_Injection Not Applicable
Published: 21 Feb 2026 · Updated: 12 Mar 2026 · First seen: 6 Mar 2026