CVE-2026-27470SQL Injection in Zoneminder

CWE-89SQL Injection4 documents4 sources
Severity
8.8HIGHNVD
EPSS
0.0%
top 98.73%
CISA KEV
Not in KEV
Exploit
No known exploits
Affected products
2
ZoneminderDebian Zoneminder
Timeline
PublishedFeb 21

Description

ZoneMinder is a free, open source closed-circuit television software application. In versions 1.36.37 and below and 1.37.61 through 1.38.0, there is a second-order SQL Injection vulnerability in the web/ajax/status.php file within the getNearEvents() function. Event field values (specifically Name and Cause) are stored safely via parameterized queries but are later retrieved and concatenated directly into SQL WHERE clauses without escaping. An authenticated user with Events edit and view permiss

CVSS vector

CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:HExploitability: 2.8 | Impact: 5.9

Affected Packages3 packages

NVDzoneminder/zoneminder1.37.611.38.1+1
CVEListV5zoneminder/zoneminder>= 1.37.61, < 1.38.1

🔴Vulnerability Details

1
OSV
CVE-2026-27470: ZoneMinder is a free, open source closed-circuit television software application2026-02-21

📋Vendor Advisories

1
Debian
CVE-2026-27470: zoneminder - ZoneMinder is a free, open source closed-circuit television software application...2026

🕵️Threat Intelligence

1
Wiz
CVE-2026-27470 Impact, Exploitability, and Mitigation Steps | Wiz