CVE-2025-65791 — OS Command Injection in Zoneminder

CWE-78 — OS Command Injection5 documents5 sources

Severity

9.8CRITICALNVD

EPSS

0.3%

top 49.98%

CISA KEV

Not in KEV

Exploit

No known exploits

Affected products

Zoneminder Debian Zoneminder

Timeline

PublishedFeb 18

Description

ZoneMinder v1.36.34 is vulnerable to Command Injection in web/views/image.php. The application passes unsanitized user input directly to the exec() function. NOTE: this is disputed by the Supplier because there is no unsanitized user input to web/views/image.php.

CVSS vector

CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:HExploitability: 3.9 | Impact: 5.9

Affected Packages2 packages

▶debiandebian/zoneminder

▶NVDzoneminder/zoneminder1.36.34

🔴Vulnerability Details

OSV

CVE-2025-65791: ZoneMinder v1↗2026-02-18

▶

GHSA

GHSA-xw73-fccw-fgc4: ZoneMinder v1↗2026-02-18

▶

📋Vendor Advisories

Debian

CVE-2025-65791: zoneminder - ZoneMinder v1.36.34 is vulnerable to Command Injection in web/views/image.php. T...↗2025

▶

🕵️Threat Intelligence

Wiz

CVE-2025-65791 Impact, Exploitability, and Mitigation Steps | Wiz↗

▶