2 matches found
CVE-2026-27470
ZoneMinder (versions 1.36.37 and earlier; 1.37.61–1.38.0) contains a second‑order SQL Injection in web/ajax/status.php:getNearEvents(). Although event fields Name and Cause are stored via parameterized queries, they are concatenated into SQL WHERE clauses without escaping, allowing an authenticat...
CVE-2026-27470 ZoneMinder: Second-Order SQL Injection in `getNearEvents()` via Stored Event Name and Cause Fields
ZoneMinder is a free, open source closed-circuit television software application. In versions 1.36.37 and below and 1.37.61 through 1.38.0, there is a second-order SQL Injection vulnerability in the web/ajax/status.php file within the getNearEvents function. Event field values specifically Name a...