{"dataType": "CVE_RECORD", "dataVersion": "5.2", "cveMetadata": {"cveId": "CVE-2026-27470", "assignerOrgId": "a0819718-46f1-4df5-94e2-005712e83aaa", "state": "PUBLISHED", "assignerShortName": "GitHub_M", "dateReserved": "2026-02-19T17:25:31.101Z", "datePublished": "2026-02-21T08:05:01.073Z", "dateUpdated": "2026-02-24T18:29:37.068Z"}, "containers": {"cna": {"title": "ZoneMinder: Second-Order SQL Injection in `getNearEvents()` via Stored Event Name and Cause Fields", "problemTypes": [{"descriptions": [{"cweId": "CWE-89", "lang": "en", "description": "CWE-89: Improper Neutralization of Special Elements used in an SQL Command ('SQL Injection')", "type": "CWE"}]}], "metrics": [{"cvssV3_1": {"attackComplexity": "LOW", "attackVector": "NETWORK", "availabilityImpact": "HIGH", "baseScore": 8.8, "baseSeverity": "HIGH", "confidentialityImpact": "HIGH", "integrityImpact": "HIGH", "privilegesRequired": "LOW", "scope": "UNCHANGED", "userInteraction": "NONE", "vectorString": "CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H", "version": "3.1"}}], "references": [{"name": "https://github.com/ZoneMinder/zoneminder/security/advisories/GHSA-r6gm-478g-f2c4", "tags": ["x_refsource_CONFIRM"], "url": "https://github.com/ZoneMinder/zoneminder/security/advisories/GHSA-r6gm-478g-f2c4"}, {"name": "https://github.com/ZoneMinder/zoneminder/releases/tag/1.36.38", "tags": ["x_refsource_MISC"], "url": "https://github.com/ZoneMinder/zoneminder/releases/tag/1.36.38"}, {"name": "https://github.com/ZoneMinder/zoneminder/releases/tag/1.38.1", "tags": ["x_refsource_MISC"], "url": "https://github.com/ZoneMinder/zoneminder/releases/tag/1.38.1"}, {"name": "https://owasp.org/www-community/attacks/SQL_Injection", "tags": ["x_refsource_MISC"], "url": "https://owasp.org/www-community/attacks/SQL_Injection"}], "affected": [{"vendor": "ZoneMinder", "product": "zoneminder", "versions": [{"version": "< 1.36.38", "status": "affected"}, {"version": ">= 1.37.61, < 1.38.1", "status": "affected"}]}], "providerMetadata": {"orgId": "a0819718-46f1-4df5-94e2-005712e83aaa", "shortName": "GitHub_M", "dateUpdated": "2026-02-21T08:05:01.073Z"}, "descriptions": [{"lang": "en", "value": "ZoneMinder is a free, open source closed-circuit television software application. In versions 1.36.37 and below and 1.37.61 through 1.38.0, there is a second-order SQL Injection vulnerability in the web/ajax/status.php file within the getNearEvents() function. Event field values (specifically Name and Cause) are stored safely via parameterized queries but are later retrieved and concatenated directly into SQL WHERE clauses without escaping. An authenticated user with Events edit and view permissions can exploit this to execute arbitrary SQL queries."}], "source": {"advisory": "GHSA-r6gm-478g-f2c4", "discovery": "UNKNOWN"}}, "adp": [{"metrics": [{"other": {"type": "ssvc", "content": {"timestamp": "2026-02-24T18:29:18.991539Z", "id": "CVE-2026-27470", "options": [{"Exploitation": "poc"}, {"Automatable": "no"}, {"Technical Impact": "total"}], "role": "CISA Coordinator", "version": "2.0.3"}}}], "title": "CISA ADP Vulnrichment", "providerMetadata": {"orgId": "134c704f-9b21-4f2e-91b3-4a467353bcc0", "shortName": "CISA-ADP", "dateUpdated": "2026-02-24T18:29:37.068Z"}}]}}

{"dataType": "CVE_RECORD", "containers": {"adp": [{"title": "CISA ADP Vulnrichment", "metrics": [{"other": {"type": "ssvc", "content": {"id": "CVE-2026-27470", "role": "CISA Coordinator", "options": [{"Exploitation": "poc"}, {"Automatable": "no"}, {"Technical Impact": "total"}], "version": "2.0.3", "timestamp": "2026-02-24T18:29:18.991539Z"}}}], "providerMetadata": {"orgId": "134c704f-9b21-4f2e-91b3-4a467353bcc0", "shortName": "CISA-ADP", "dateUpdated": "2026-02-24T18:29:27.279Z"}}], "cna": {"title": "ZoneMinder: Second-Order SQL Injection in `getNearEvents()` via Stored Event Name and Cause Fields", "source": {"advisory": "GHSA-r6gm-478g-f2c4", "discovery": "UNKNOWN"}, "metrics": [{"cvssV3_1": {"scope": "UNCHANGED", "version": "3.1", "baseScore": 8.8, "attackVector": "NETWORK", "baseSeverity": "HIGH", "vectorString": "CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H", "integrityImpact": "HIGH", "userInteraction": "NONE", "attackComplexity": "LOW", "availabilityImpact": "HIGH", "privilegesRequired": "LOW", "confidentialityImpact": "HIGH"}}], "affected": [{"vendor": "ZoneMinder", "product": "zoneminder", "versions": [{"status": "affected", "version": "< 1.36.38"}, {"status": "affected", "version": ">= 1.37.61, < 1.38.1"}]}], "references": [{"url": "https://github.com/ZoneMinder/zoneminder/security/advisories/GHSA-r6gm-478g-f2c4", "name": "https://github.com/ZoneMinder/zoneminder/security/advisories/GHSA-r6gm-478g-f2c4", "tags": ["x_refsource_CONFIRM"]}, {"url": "https://github.com/ZoneMinder/zoneminder/releases/tag/1.36.38", "name": "https://github.com/ZoneMinder/zoneminder/releases/tag/1.36.38", "tags": ["x_refsource_MISC"]}, {"url": "https://github.com/ZoneMinder/zoneminder/releases/tag/1.38.1", "name": "https://github.com/ZoneMinder/zoneminder/releases/tag/1.38.1", "tags": ["x_refsource_MISC"]}, {"url": "https://owasp.org/www-community/attacks/SQL_Injection", "name": "https://owasp.org/www-community/attacks/SQL_Injection", "tags": ["x_refsource_MISC"]}], "descriptions": [{"lang": "en", "value": "ZoneMinder is a free, open source closed-circuit television software application. In versions 1.36.37 and below and 1.37.61 through 1.38.0, there is a second-order SQL Injection vulnerability in the web/ajax/status.php file within the getNearEvents() function. Event field values (specifically Name and Cause) are stored safely via parameterized queries but are later retrieved and concatenated directly into SQL WHERE clauses without escaping. An authenticated user with Events edit and view permissions can exploit this to execute arbitrary SQL queries."}], "problemTypes": [{"descriptions": [{"lang": "en", "type": "CWE", "cweId": "CWE-89", "description": "CWE-89: Improper Neutralization of Special Elements used in an SQL Command ('SQL Injection')"}]}], "providerMetadata": {"orgId": "a0819718-46f1-4df5-94e2-005712e83aaa", "shortName": "GitHub_M", "dateUpdated": "2026-02-21T08:05:01.073Z"}}}, "cveMetadata": {"cveId": "CVE-2026-27470", "state": "PUBLISHED", "dateUpdated": "2026-02-24T18:29:37.068Z", "dateReserved": "2026-02-19T17:25:31.101Z", "assignerOrgId": "a0819718-46f1-4df5-94e2-005712e83aaa", "datePublished": "2026-02-21T08:05:01.073Z", "assignerShortName": "GitHub_M"}, "dataVersion": "5.2"}

{"configurations": [{"nodes": [{"cpeMatch": [{"criteria": "cpe:2.3:a:zoneminder:zoneminder:*:*:*:*:*:*:*:*", "matchCriteriaId": "464C2B6D-B9E6-429B-A894-099EC5A3F552", "versionEndExcluding": "1.36.38", "vulnerable": true}, {"criteria": "cpe:2.3:a:zoneminder:zoneminder:*:*:*:*:*:*:*:*", "matchCriteriaId": "EFEBDB7E-89B6-41EB-934B-2C1F214D1A91", "versionEndExcluding": "1.38.1", "versionStartIncluding": "1.37.61", "vulnerable": true}], "negate": false, "operator": "OR"}]}], "cveTags": [], "descriptions": [{"lang": "en", "value": "ZoneMinder is a free, open source closed-circuit television software application. In versions 1.36.37 and below and 1.37.61 through 1.38.0, there is a second-order SQL Injection vulnerability in the web/ajax/status.php file within the getNearEvents() function. Event field values (specifically Name and Cause) are stored safely via parameterized queries but are later retrieved and concatenated directly into SQL WHERE clauses without escaping. An authenticated user with Events edit and view permissions can exploit this to execute arbitrary SQL queries."}], "id": "CVE-2026-27470", "lastModified": "2026-02-24T14:48:36.060", "metrics": {"cvssMetricV31": [{"cvssData": {"attackComplexity": "LOW", "attackVector": "NETWORK", "availabilityImpact": "HIGH", "baseScore": 8.8, "baseSeverity": "HIGH", "confidentialityImpact": "HIGH", "integrityImpact": "HIGH", "privilegesRequired": "LOW", "scope": "UNCHANGED", "userInteraction": "NONE", "vectorString": "CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H", "version": "3.1"}, "exploitabilityScore": 2.8, "impactScore": 5.9, "source": "security-advisories@github.com", "type": "Secondary"}]}, "published": "2026-02-21T08:16:12.197", "references": [{"source": "security-advisories@github.com", "tags": ["Product", "Release Notes"], "url": "https://github.com/ZoneMinder/zoneminder/releases/tag/1.36.38"}, {"source": "security-advisories@github.com", "tags": ["Product", "Release Notes"], "url": "https://github.com/ZoneMinder/zoneminder/releases/tag/1.38.1"}, {"source": "security-advisories@github.com", "tags": ["Exploit", "Mitigation", "Vendor Advisory"], "url": "https://github.com/ZoneMinder/zoneminder/security/advisories/GHSA-r6gm-478g-f2c4"}, {"source": "security-advisories@github.com", "tags": ["Not Applicable"], "url": "https://owasp.org/www-community/attacks/SQL_Injection"}], "sourceIdentifier": "security-advisories@github.com", "vulnStatus": "Analyzed", "weaknesses": [{"description": [{"lang": "en", "value": "CWE-89"}], "source": "security-advisories@github.com", "type": "Primary"}]}

{}

{"affected": [{"configurations": [{"platform": null, "status": "affected", "versions": {"scheme": "semver", "value": "[0,1.36.38)"}}, {"platform": null, "status": "affected", "versions": {"scheme": "semver", "value": "[1.37.61,1.38.1)"}}], "enrichment": {"confidence": 100.0, "confidence_source": "matching", "scores": [{"score": 100.0, "source": "matching"}]}, "original": {"product": "zoneminder", "source": "cna", "vendor": "ZoneMinder"}, "product": "zoneminder", "vendor": "zoneminder"}], "analysis": {"en": {"generated_at": "2026-04-17T16:49:11.458946+00:00", "value": {"mitigation_remediation": ["Upgrade to the latest released version (1.38.1 or newer) which contains the fix for the second\u2011order SQL injection.", "For installations that cannot be updated immediately, remove or restrict Events edit and view permissions from user accounts that do not require them, limiting the ability to inject SQL.", "Apply network\u2011level controls such as firewall rules or VPN restrictions to restrict access to the ZoneMinder web interface to trusted hosts only."], "summary": {"action": "Immediate Patch", "impact": "Remote SQL Injection with authenticated access"}, "threat_synthesis": {"affected_systems": "The issue affects ZoneMinder 1.36.37 and earlier, as well as 1.37.61 through 1.38.0. Administrators should verify that their deployments fall within these version ranges. The vulnerability is present in the web interface\u2019s status.php file and can be exploited by any user with the appropriate permissions, regardless of network location.", "description_and_impact": "A second\u2011order SQL Injection vulnerability exists in ZoneMinder, a free open\u2011source closed\u2011circuit television platform. The flaw resides in the getNearEvents() routine within web/ajax/status.php. Although event Name and Cause values are inserted into the database using parameterized queries, the same stored data is later concatenated unescaped into SQL WHERE clauses during retrieval. This allows an attacker who can authenticate and possess Events edit and view rights to inject arbitrary SQL statements and thus read, modify, or delete data in the database. The attacker gains direct control over database queries but does not obtain code execution or local privileges beyond the database context.", "risk_and_exploitability": "With a CVSS v3 score of 8.8, the flaw is classified as high severity. The EPSS score is below 1\u202f%, suggesting a low probability of attack at present, and the vulnerability is not listed in CISA\u2019s Keystone Exploited Vulnerabilities catalog. Exploitation requires authentication and specific event\u2011editing privileges, limiting the attack surface to privileged users. Nonetheless, once active, the attacker could compromise the integrity and confidentiality of the ZoneMinder database and potentially disrupt surveillance functionality."}}}}, "created": "2026-02-23T14:32:16.975183+00:00", "updated": "2026-04-17T17:00:10.161706+00:00", "vendors": ["zoneminder", "zoneminder$PRODUCT$zoneminder"]}