EIP-2026-114640

PRE-CVE

Zoneminder 1.29/1.30 - Cross-Site Scripting / SQL Injection / Session Fixation / Cross-Site Request Forgery

Title source: legacy
STIX 2.1

Exploitation Summary

EIP tracks 1 public exploit for EIP-2026-114640. PoCs published by Tim Herres.

AI-analyzed exploit summary This advisory details multiple vulnerabilities in Zoneminder, including SQL injection, XSS, session fixation, and lack of CSRF protection. It provides technical examples and payloads but does not include functional exploit code.

Description

Zoneminder 1.29/1.30 - Cross-Site Scripting / SQL Injection / Session Fixation / Cross-Site Request Forgery

Exploits (1)

exploitdb WRITEUP
by Tim Herres · textwebappsphp
https://www.exploit-db.com/exploits/41239

This advisory details multiple vulnerabilities in Zoneminder, including SQL injection, XSS, session fixation, and lack of CSRF protection. It provides technical examples and payloads but does not include functional exploit code.

Classification
Writeup 100%
Attack Type
Sqli | Xss | Auth Bypass | Other
Complexity
Moderate
Reliability
Theoretical
Target: Zoneminder 1.29, 1.30
No auth needed
Prerequisites: Network access to the Zoneminder web interface
devstral-2 · analyzed Feb 18, 2026 Full analysis →

Details

Status pre_cve
Tracked Since Feb 18, 2026