Unrated severityNVD Advisory· Published Feb 21, 2026· Updated Feb 24, 2026

ZoneMinder: Second-Order SQL Injection in `getNearEvents()` via Stored Event Name and Cause Fields

CVE-2026-27470

Description

ZoneMinder is a free, open source closed-circuit television software application. In versions 1.36.37 and below and 1.37.61 through 1.38.0, there is a second-order SQL Injection vulnerability in the web/ajax/status.php file within the getNearEvents() function. Event field values (specifically Name and Cause) are stored safely via parameterized queries but are later retrieved and concatenated directly into SQL WHERE clauses without escaping. An authenticated user with Events edit and view permissions can exploit this to execute arbitrary SQL queries.

Affected products

Zoneminder/Zoneminderv5
Range: < 1.36.38

Patches

No patches discovered yet.

Vulnerability mechanics

AI mechanics synthesis has not run for this CVE yet.

References

github.com/ZoneMinder/zoneminder/releases/tag/1.36.38mitrex_refsource_MISC
github.com/ZoneMinder/zoneminder/releases/tag/1.38.1mitrex_refsource_MISC
github.com/ZoneMinder/zoneminder/security/advisories/GHSA-r6gm-478g-f2c4mitrex_refsource_CONFIRM
owasp.org/www-community/attacks/SQL_Injectionmitrex_refsource_MISC

News mentions

No linked articles in our index yet.

cvss	0.000
epss	0.000
exploit	0.000
kev	0.000
patch	0.000
ransomware	0.000