CVE-2022-39291

MEDIUM

ZoneMinder < 1.36.27 - Log Injection via /zm/index.php Endpoint

Title source: llm
STIX 2.1

Exploitation Summary

EIP tracks 1 public exploit for CVE-2022-39291. PoCs published by Trenches of IT.

AI-analyzed exploit summary This exploit demonstrates a log injection vulnerability in ZoneMinder v1.36.26, which is then leveraged to bypass CSRF protections and execute a stored XSS payload. The payload deletes a specified user when an admin views the log page.

Description

ZoneMinder is a free, open source Closed-circuit television software application. Affected versions of zoneminder are subject to a vulnerability which allows users with "View" system permissions to inject new data into the logs stored by Zoneminder. This was observed through an HTTP POST request containing log information to the "/zm/index.php" endpoint. Submission is not rate controlled and could affect database performance and/or consume all storage resources. Users are advised to upgrade. There are no known workarounds for this issue.

Exploits (1)

exploitdb WORKING POC VERIFIED
by Trenches of IT · pythonwebappsphp
https://www.exploit-db.com/exploits/51071

This exploit demonstrates a log injection vulnerability in ZoneMinder v1.36.26, which is then leveraged to bypass CSRF protections and execute a stored XSS payload. The payload deletes a specified user when an admin views the log page.

Classification
Working Poc 95%
Attack Type
Xss
Complexity
Moderate
Reliability
Reliable
Target: ZoneMinder v1.36.26
Auth required
Prerequisites: Valid low-privileged user credentials · Admin user must view the log page
devstral-2 · analyzed Feb 18, 2026 Full analysis →

References (6)

Core 6
Core References

Scores

CVSS v3 5.4
EPSS 0.0505
EPSS Percentile 91.2%
Attack Vector NETWORK
CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:N/I:L/A:L

CISA SSVC

Vulnrichment
Exploitation poc
Automatable no
Technical Impact partial

Details

CWE
CWE-20
Status published
Products (1)
zoneminder/zoneminder < 1.36.27
Published Oct 07, 2022
Tracked Since Feb 18, 2026