Vulnerability Description
ZoneMinder is a free, open source closed-circuit television software application. In versions 1.36.37 and below and 1.37.61 through 1.38.0, there is a second-order SQL Injection vulnerability in the web/ajax/status.php file within the getNearEvents() function. Event field values (specifically Name and Cause) are stored safely via parameterized queries but are later retrieved and concatenated directly into SQL WHERE clauses without escaping. An authenticated user with Events edit and view permissions can exploit this to execute arbitrary SQL queries.
CVSS Score
HIGH
Affected Products
| Vendor | Product | Versions |
|---|---|---|
| Zoneminder | Zoneminder | < 1.36.38 |
Related Weaknesses (CWE)
References
- https://github.com/ZoneMinder/zoneminder/releases/tag/1.36.38ProductRelease Notes
- https://github.com/ZoneMinder/zoneminder/releases/tag/1.38.1ProductRelease Notes
- https://github.com/ZoneMinder/zoneminder/security/advisories/GHSA-r6gm-478g-f2c4ExploitMitigationVendor Advisory
- https://owasp.org/www-community/attacks/SQL_InjectionNot Applicable
FAQ
What is CVE-2026-27470?
CVE-2026-27470 is a vulnerability with a CVSS score of 8.8 (HIGH). ZoneMinder is a free, open source closed-circuit television software application. In versions 1.36.37 and below and 1.37.61 through 1.38.0, there is a second-order SQL Injection vulnerability in the w...
How severe is CVE-2026-27470?
CVE-2026-27470 has been rated HIGH with a CVSS base score of 8.8/10. Review the CVSS metrics above for detailed severity breakdown.
Is there a patch for CVE-2026-27470?
Check the references section above for vendor advisories and patch information. Affected products include: Zoneminder Zoneminder.