CVE-2026-27470

HIGH

ZoneMinder <=1.36.37, 1.37.61-1.38.0 - SQL Injection

Title source: llm
STIX 2.1

Exploitation Summary

EIP tracks 4 public exploits for CVE-2026-27470. PoCs published by XiaomingX, kocaemre, XZ1r0.

AI-analyzed exploit summary This repository contains a functional proof-of-concept exploit for CVE-2026-27470, a second-order SQL injection vulnerability in ZoneMinder. The exploit demonstrates how an authenticated attacker can extract arbitrary data from the database by leveraging a stored payload in the event name field.

Description

ZoneMinder is a free, open source closed-circuit television software application. In versions 1.36.37 and below and 1.37.61 through 1.38.0, there is a second-order SQL Injection vulnerability in the web/ajax/status.php file within the getNearEvents() function. Event field values (specifically Name and Cause) are stored safely via parameterized queries but are later retrieved and concatenated directly into SQL WHERE clauses without escaping. An authenticated user with Events edit and view permissions can exploit this to execute arbitrary SQL queries.

Exploits (4)

github WORKING POC 10 stars
by XiaomingX · pythonpoc
https://github.com/XiaomingX/data-cve-poc-py-v1/tree/main/2026/CVE-2026-27470

This repository contains a functional proof-of-concept exploit for CVE-2026-27470, a second-order SQL injection vulnerability in ZoneMinder. The exploit demonstrates how an authenticated attacker can extract arbitrary data from the database by leveraging a stored payload in the event name field.

Classification
Working Poc 100%
Attack Type
Sqli
Complexity
Moderate
Reliability
Reliable
Target: ZoneMinder ≤ 1.36.37 and 1.37.61 – 1.38.0
Auth required
Prerequisites: Authenticated user with Events edit and view permissions · Valid event ID
devstral-2 · analyzed Feb 27, 2026 Full analysis →
nomisec WORKING POC 1 stars
by kocaemre · poc
https://github.com/kocaemre/CVE-2026-27470

This repository contains a functional proof-of-concept exploit for CVE-2026-27470, a second-order SQL injection vulnerability in ZoneMinder. The exploit demonstrates how an authenticated attacker can extract arbitrary data from the database by leveraging a stored payload in the Events.Name field.

Classification
Working Poc 100%
Attack Type
Sqli
Complexity
Moderate
Reliability
Reliable
Target: ZoneMinder ≤ 1.36.37 and 1.37.61 – 1.38.0
Auth required
Prerequisites: Authenticated user with Events edit and view permissions · Valid event ID to use as injection carrier
devstral-2 · analyzed Feb 22, 2026 Full analysis →
github WORKING POC
by XZ1r0 · pythonpoc
https://github.com/XZ1r0/cve-2026-poc-collection/tree/main/other/CVE-2026-27470

This repository contains a functional Python-based exploit for CVE-2026-27470, a second-order SQL injection vulnerability in ZoneMinder. The exploit demonstrates the two-phase attack: first injecting a payload into an event's Name or Cause field via a parameterized query, then triggering the injection by invoking the vulnerable `getNearEvents()` function, which unsafely concatenates the stored payload into a new SQL query.

Classification
Working Poc 100%
Attack Type
Sqli
Complexity
Moderate
Reliability
Reliable
Target: ZoneMinder <= 1.36.37 and 1.37.61 - 1.38.0
Auth required
Prerequisites: Authenticated access with Events edit and view permissions · At least one existing event in the ZoneMinder database
devstral-2 · analyzed May 21, 2026 Full analysis →
nomisec WORKING POC
by d3vn0mi · poc
https://github.com/d3vn0mi/CVE-2026-27470-POC

This repository contains a functional exploit PoC for CVE-2026-27470, a second-order SQL injection vulnerability in ZoneMinder's `getNearEvents()` function. The exploit demonstrates how an attacker can store a malicious payload in an event's Name or Cause field and later trigger it via the status API to execute arbitrary SQL queries.

Classification
Working Poc 95%
Attack Type
Sqli
Complexity
Moderate
Reliability
Reliable
Target: ZoneMinder <= 1.36.37 and 1.37.61 – 1.38.0
Auth required
Prerequisites: Authenticated user with Events permission · Access to an event ID for injection
devstral-2 · analyzed Mar 14, 2026 Full analysis →

References (4)

Core 4

Scores

CVSS v3 8.8
EPSS 0.0001
EPSS Percentile 2.0%
Attack Vector NETWORK
CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H

CISA SSVC

Vulnrichment
Exploitation poc
Automatable no
Technical Impact total

Details

CWE
CWE-89
Status published
Products (1)
zoneminder/zoneminder < 1.36.38
Published Feb 21, 2026
Tracked Since Feb 21, 2026