CVE-2026-27470

HIGH

ZoneMinder <=1.36.37, 1.37.61-1.38.0 - SQL Injection

Title source: llm

Description

ZoneMinder is a free, open source closed-circuit television software application. In versions 1.36.37 and below and 1.37.61 through 1.38.0, there is a second-order SQL Injection vulnerability in the web/ajax/status.php file within the getNearEvents() function. Event field values (specifically Name and Cause) are stored safely via parameterized queries but are later retrieved and concatenated directly into SQL WHERE clauses without escaping. An authenticated user with Events edit and view permissions can exploit this to execute arbitrary SQL queries.

Exploits (3)

github WORKING POC 10 stars

by XiaomingX · pythonpoc

https://github.com/XiaomingX/data-cve-poc-py-v1/tree/main/2026/CVE-2026-27470

View Code ZIP pw:eip

nomisec WORKING POC 1 stars

by kocaemre · poc

https://github.com/kocaemre/CVE-2026-27470

View Code ZIP pw:eip

nomisec WORKING POC

by d3vn0mi · poc

https://github.com/d3vn0mi/CVE-2026-27470-POC

View Code ZIP pw:eip

References (4)

[Various Sources] https://owasp.org/www-community/attacks/SQL_Injection

[Vendor Advisory] https://github.com/ZoneMinder/zoneminder/security/advisories/GHSA-r6gm-478g-f2c4

[Release Notes] https://github.com/ZoneMinder/zoneminder/releases/tag/1.36.38

[Release Notes] https://github.com/ZoneMinder/zoneminder/releases/tag/1.38.1

Scores

CVSS v3 8.8

EPSS 0.0001

EPSS Percentile 1.4%

Attack Vector NETWORK

CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H

Details

CWE

CWE-89

Status published

Products (1)

zoneminder/zoneminder < 1.36.38

Published Feb 21, 2026

Tracked Since Feb 21, 2026