VDB

CVE-2026-27470

CVE-2026-27470 PUBLISHED CVSS 8.800000190734863 HIGH

ZoneMinder is a free, open source closed-circuit television software application. In versions 1.36.37 and below and 1.37.61 through 1.38.0, there is a second-order SQL Injection vulnerability in the web/ajax/status.php file within the getNearEvents() function. Event field values (specifically Name and Cause) are stored safely via parameterized queries but are later retrieved and concatenated directly into SQL WHERE clauses without escaping. An authenticated user with Events edit and view permissions can exploit this to execute arbitrary SQL queries.

EPSS 0.01% · 2.0th percentile

Risk Scores

CVSS v3.1
8.800000190734863
CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H
EPSS Score
0.01%
2.0th percentile

Affected Products

VendorProductVersions
zoneminderzoneminder1.37.61, 0, 1.37.61
ZoneMinderzoneminder< 1.36.38, < 1.36.38, >= 1.37.61, < 1.38.1

Timeline

  • Feb 19, 2026 CVE ID Reserved
  • Feb 21, 2026 EPSS Score
  • Feb 21, 2026 CVE Published
  • Feb 21, 2026 PoC Published
  • Feb 21, 2026 PoC Published
  • Feb 21, 2026 PoC Published
  • Feb 23, 2026 EPSS Score
  • Feb 24, 2026 EPSS Score
  • Feb 24, 2026 PoC Published
  • Feb 24, 2026 CVE Updated
  • Feb 26, 2026 EPSS Score
  • Feb 27, 2026 EPSS Score

References

Open in Interactive Console →
$ Console Community · 100/wk Open console ›