CVE-2026-27470
Published: 21 February 2026
Summary
CVE-2026-27470 is a high-severity SQL Injection (CWE-89) vulnerability in Zoneminder Zoneminder. Its CVSS base score is 8.8 (High).
Operationally, exploitation aligns with the MITRE ATT&CK technique Exploit Public-Facing Application (T1190); ranked at the 1.9th percentile by exploit likelihood (below the median); it is not currently listed in the CISA KEV catalog; a public proof-of-concept is referenced.
The strongest mitigations our analysis identified are NIST 800-53 RA-5 (Vulnerability Monitoring and Scanning) and SI-10 (Information Input Validation).
Threat & Defense at a Glance
Threat & Defense Details
Mitigating Controls (NIST 800-53 r5)AI
Requires identification, reporting, and timely correction of flaws such as the second-order SQL injection in ZoneMinder via available patches in versions 1.36.38 and 1.38.1.
Mandates validation of information inputs like Event Name and Cause fields before concatenation into SQL WHERE clauses, directly preventing SQL injection exploitation.
Involves scanning for vulnerabilities like this SQL injection and responding promptly, enabling proactive mitigation before exploitation.
MITRE ATT&CK Enterprise TechniquesAI
Why these techniques?
Second-order SQL injection in public-facing web app (status.php) allows authenticated user with limited Events permissions to run arbitrary queries, enabling exploitation of internet-facing applications and privilege escalation to full DB control with high CIA impact.
NVD Description
ZoneMinder is a free, open source closed-circuit television software application. In versions 1.36.37 and below and 1.37.61 through 1.38.0, there is a second-order SQL Injection vulnerability in the web/ajax/status.php file within the getNearEvents() function. Event field values (specifically Name and…
more
Cause) are stored safely via parameterized queries but are later retrieved and concatenated directly into SQL WHERE clauses without escaping. An authenticated user with Events edit and view permissions can exploit this to execute arbitrary SQL queries.
Deeper analysisAI
CVE-2026-27470 is a second-order SQL injection vulnerability affecting ZoneMinder, a free open-source closed-circuit television software application. The issue resides in the web/ajax/status.php file, specifically within the getNearEvents() function, impacting versions 1.36.37 and below, as well as 1.37.61 through 1.38.0. Event field values such as Name and Cause are initially stored safely using parameterized queries but are later retrieved and directly concatenated into SQL WHERE clauses without proper escaping, enabling injection.
An authenticated user with Events edit and view permissions can exploit this vulnerability over the network with low complexity and no user interaction required. Successful exploitation allows execution of arbitrary SQL queries, potentially leading to high-impact confidentiality, integrity, and availability violations, as reflected in the CVSS v3.1 base score of 8.8 (AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H).
Mitigation is available through patched releases: ZoneMinder 1.36.38 and 1.38.1 address the vulnerability, as detailed in the project's GitHub security advisory (GHSA-r6gm-478g-f2c4). Security practitioners should upgrade affected installations immediately and review access controls for Events permissions.
Details
- CWE(s)