Product
zoneminder
86 known vulnerabilities across versions
Vulnerabilities are listed by affected version. Select any CVE for the full briefing and its intelligence graph.
CVE-2026-27470
CVE-2025-65791
CVE-2023-31493
CVE-2024-43360
CVE-2024-43359
CVE-2024-43358
CVE-2023-41884
CVE-2020-25730
CVE-2023-26039
CVE-2023-26038
CVE-2023-26037
CVE-2023-26036
CVE-2023-26035
CVE-2023-26034
CVE-2023-26032
CVE-2023-25825
CVE-2022-30769
CVE-2022-30768
CVE-2022-39291
CVE-2022-39290
CVE-2022-39289
CVE-2022-39285
CVE-2022-29806
CVE-2020-25729
CVE-2019-13072
CVE-2019-8429
CVE-2019-8428
CVE-2019-8427
CVE-2019-8426
CVE-2019-8425
CVE-2019-8424
CVE-2019-8423
CVE-2019-7352
CVE-2019-7351
CVE-2019-7350
CVE-2019-7349
CVE-2019-7348
CVE-2019-7347
CVE-2019-7346
CVE-2019-7345
CVE-2019-7344
CVE-2019-7343
CVE-2019-7342
CVE-2019-7341
CVE-2019-7340
CVE-2019-7339
CVE-2019-7338
CVE-2019-7337
CVE-2019-7336
CVE-2019-7335
CVE-2019-7334
CVE-2019-7333
CVE-2019-7332
CVE-2019-7331
CVE-2019-7330
CVE-2019-7329
CVE-2019-7328
CVE-2019-7327
CVE-2019-7326
CVE-2019-7325
CVE-2019-6992
CVE-2019-6991
CVE-2019-6990
CVE-2019-6777
CVE-2018-1000833
CVE-2018-1000832
CVE-2017-7203
CVE-2016-10206
CVE-2016-10205
CVE-2016-10204
CVE-2016-10203
CVE-2016-10202
CVE-2016-10201
CVE-2017-5595
CVE-2017-5368
CVE-2017-5367
CVE-2016-10140
CVE-2013-0332
CVE-2013-0232
CVE-2008-6756
CVE-2008-6755
CVE-2008-3882
CVE-2008-3881
CVE-2008-3880
CVE-2008-1381
CVE-2004-0227
< 1.36.38
ZoneMinder is a free, open source closed-circuit television software application. In versions 1.36.37 and below and 1.37.61 throug
all versions
ZoneMinder v1.36.34 is vulnerable to Command Injection in web/views/image.php. The application passes unsanitized user input direc
<= 1.36.33
RCE (Remote Code Execution) exists in ZoneMinder through 1.36.33 as an attacker can create a new .php log file in language folder,
< 1.36.34
ZoneMinder is a free, open source closed-circuit television software application. ZoneMinder is affected by a time-based SQL Injec
< 1.36.34
ZoneMinder is a free, open source closed-circuit television software application. ZoneMinder has a cross-site scripting vulnerabil
< 1.36.34
ZoneMinder is a free, open source closed-circuit television software application. ZoneMinder has a cross-site scripting vulnerabil
< 1.36.34
ZoneMinder is a free, open source Closed-circuit television software application. In WWW/AJAX/watch.php, Line: 51 takes a few para
< 1.34.21
Cross Site Scripting (XSS) vulnerability in ZoneMinder before version 1.34.21, allows remote attackers execute arbitrary code, esc
< 1.36.33
ZoneMinder is a free, open source Closed-circuit television software application for Linux which supports IP, USB and Analog camer
< 1.36.33
ZoneMinder is a free, open source Closed-circuit television software application for Linux which supports IP, USB and Analog camer
< 1.36.33
ZoneMinder is a free, open source Closed-circuit television software application for Linux which supports IP, USB and Analog camer
< 1.36.33
ZoneMinder is a free, open source Closed-circuit television software application for Linux which supports IP, USB and Analog camer
< 1.36.33
ZoneMinder is a free, open source Closed-circuit television software application for Linux which supports IP, USB and Analog camer
< 1.36.33
ZoneMinder is a free, open source Closed-circuit television software application for Linux which supports IP, USB and Analog camer
< 1.36.33
ZoneMinder is a free, open source Closed-circuit television software application for Linux which supports IP, USB and Analog camer
< 1.36.33
ZoneMinder is a free, open source Closed-circuit television software application for Linux which supports IP, USB and Analog camer
<= 1.36.12
Session fixation exists in ZoneMinder through 1.36.12 as an attacker can poison a session cookie to the next logged-in user.
all versions
A Stored Cross Site Scripting (XSS) issue in ZoneMinder 1.36.12 allows an attacker to execute HTML or JavaScript code via the User
< 1.36.27
ZoneMinder is a free, open source Closed-circuit television software application. Affected versions of zoneminder are subject to a
< 1.36.27
ZoneMinder is a free, open source Closed-circuit television software application. In affected versions authenticated users can byp
<= 1.36.27
ZoneMinder is a free, open source Closed-circuit television software application. In affected versions the ZoneMinder API Exposes
< 1.36.27
ZoneMinder is a free, open source Closed-circuit television software application The file parameter is vulnerable to a cross site
< 1.36.13
ZoneMinder before 1.36.13 allows remote code execution via an invalid language. Ability to create a debug log file at an arbitrary
< 1.34.21
ZoneMinder before 1.34.21 has XSS via the connkey parameter to download.php or export.php.
all versions
Stored XSS in the Filters page (Name field) in ZoneMinder 1.32.3 allows a malicious user to embed and execute JavaScript code in t
< 1.32.3
ZoneMinder before 1.32.3 has SQL Injection via the ajax/status.php filter[Query][terms][0][cnj] parameter.
< 1.32.3
ZoneMinder before 1.32.3 has SQL Injection via the skins/classic/views/control.php groupSql parameter, as demonstrated by a newGro
< 1.32.3
daemonControl in includes/functions.php in ZoneMinder before 1.32.3 allows command injection via shell metacharacters.
< 1.32.3
skins/classic/views/controlcap.php in ZoneMinder before 1.32.3 has XSS via the newControl array, as demonstrated by the newControl
< 1.32.3
includes/database.php in ZoneMinder before 1.32.3 has XSS in the construction of SQL-ERR messages.
< 1.32.3
ZoneMinder before 1.32.3 has SQL Injection via the ajax/status.php sort parameter.
<= 1.32.3
ZoneMinder through 1.32.3 has SQL Injection via the skins/classic/views/events.php filter[Query][terms][0][cnj] parameter.
<= 1.32.3
Self - Stored Cross Site Scripting (XSS) exists in ZoneMinder through 1.32.3, as the view 'state' (aka Run State) (state.php) does
<= 1.32.3
Log Injection exists in ZoneMinder through 1.32.3, as an attacker can entice the victim to visit a specially crafted link, which i
<= 1.32.3
Session fixation exists in ZoneMinder through 1.32.3, as an attacker can fixate his own session cookies to the next logged-in user
<= 1.32.3
Reflected Cross Site Scripting (XSS) exists in ZoneMinder through 1.32.3, allowing an attacker to execute HTML or JavaScript code
<= 1.32.3
Self - Stored Cross Site Scripting (XSS) exists in ZoneMinder through 1.32.3, allowing an attacker to execute HTML or JavaScript c
<= 1.32.3
A Time-of-check Time-of-use (TOCTOU) Race Condition exists in ZoneMinder through 1.32.3 as a session remains active for an authent
<= 1.32.3
A CSRF check issue exists in ZoneMinder through 1.32.3 as whenever a CSRF check fails, a callback function is called displaying a
<= 1.32.3
Self - Stored Cross Site Scripting (XSS) exists in ZoneMinder through 1.32.3, as the view 'options' (options.php) does no input va
<= 1.32.3
Reflected XSS exists in ZoneMinder through 1.32.3, allowing an attacker to execute HTML or JavaScript code in the view 'filter' as
<= 1.32.3
Reflected - Cross Site Scripting (XSS) exists in ZoneMinder through 1.32.3, allowing an attacker to execute HTML or JavaScript cod
<= 1.32.3
POST - Cross Site Scripting (XSS) exists in ZoneMinder through 1.32.3, allowing an attacker to execute HTML or JavaScript code via
<= 1.32.3
Reflected - Cross Site Scripting (XSS) exists in ZoneMinder through 1.32.3, allowing an attacker to execute HTML or JavaScript cod
<= 1.32.3
POST - Cross Site Scripting (XSS) exists in ZoneMinder through 1.32.3, allowing an attacker to execute HTML or JavaScript code via
<= 1.32.3
POST - Cross Site Scripting (XSS) exists in ZoneMinder through 1.32.3, allowing an attacker to execute HTML or JavaScript code via
<= 1.32.3
Self - Stored XSS exists in ZoneMinder through 1.32.3, allowing an attacker to execute HTML or JavaScript code in the view 'group'
<= 1.32.3
Reflected Cross Site Scripting (XSS) exists in ZoneMinder through 1.32.3 as the view 'events' (events.php) insecurely displays the
<= 1.32.3
Self - Stored Cross Site Scripting (XSS) exists in ZoneMinder through 1.32.3, as the view _monitor_filters.php contains takes in i
<= 1.32.3
Self - Stored XSS exists in ZoneMinder through 1.32.3, allowing an attacker to execute HTML or JavaScript code in the view 'log' a
<= 1.32.3
Reflected Cross Site Scripting (XSS) exists in ZoneMinder through 1.32.3, allowing an attacker to execute HTML or JavaScript code
<= 1.32.3
Reflected Cross Site Scripting (XSS) exists in ZoneMinder through 1.32.3, allowing an attacker to execute HTML or JavaScript code
<= 1.32.3
Reflected Cross Site Scripting (XSS) exists in ZoneMinder through 1.32.3, allowing an attacker to execute HTML or JavaScript code
<= 1.32.3
Self - Stored Cross Site Scripting (XSS) exists in ZoneMinder through 1.32.3 while editing an existing monitor field named "signal
<= 1.32.3
Reflected Cross Site Scripting (XSS) exists in ZoneMinder through 1.32.3, allowing an attacker to execute HTML or JavaScript code
<= 1.32.3
Reflected Cross Site Scripting (XSS) exists in ZoneMinder through 1.32.3, as the form action on multiple views utilizes $_SERVER['
<= 1.32.3
Reflected Cross Site Scripting (XSS) exists in ZoneMinder through 1.32.3, allowing an attacker to execute HTML or JavaScript code
<= 1.32.3
Reflected Cross Site Scripting (XSS) exists in ZoneMinder through 1.32.3, allowing an attacker to execute HTML or JavaScript code
<= 1.32.3
Self - Stored Cross Site Scripting (XSS) exists in ZoneMinder through 1.32.3, allowing an attacker to execute HTML or JavaScript c
<= 1.32.3
Reflected Cross Site Scripting (XSS) exists in ZoneMinder through 1.32.3, as multiple views under web/skins/classic/views insecure
<= 1.32.3
A stored-self XSS exists in web/skins/classic/views/controlcaps.php of ZoneMinder through 1.32.3, allowing an attacker to execute
<= 1.32.3
A classic Stack-based buffer overflow exists in the zmLoadUser() function in zm_user.cpp of the zmu binary in ZoneMinder through 1
<= 1.32.3
A stored-self XSS exists in web/skins/classic/views/zones.php of ZoneMinder through 1.32.3, allowing an attacker to execute HTML o
all versions
An issue was discovered in ZoneMinder v1.32.3. Reflected XSS exists in web/skins/classic/views/plugin.php via the zm/index.php?vie
<= 1.32.2
ZoneMinder version <= 1.32.2 contains a Other/Unknown vulnerability in User-controlled parameter that can result in Disclosure of
<= 1.32.2
ZoneMinder version <= 1.32.2 contains a Other/Unknown vulnerability in User-controlled parameter that can result in Disclosure of
all versions
A Cross-Site Scripting (XSS) was discovered in ZoneMinder before 1.30.2. The vulnerability exists due to insufficient filtration o
<= 1.30.0
Cross-site request forgery (CSRF) vulnerability in Zoneminder 1.30 and earlier allows remote attackers to hijack the authenticatio
<= 1.30.0
Session fixation vulnerability in Zoneminder 1.30 and earlier allows remote attackers to hijack web sessions via the ZMSESSID cook
<= 1.30.0
SQL injection vulnerability in Zoneminder 1.30 and earlier allows remote attackers to execute arbitrary SQL commands via the limit
<= 1.30.0
Cross-site scripting (XSS) vulnerability in Zoneminder 1.30 and earlier allows remote attackers to inject arbitrary web script or
<= 1.30.0
Cross-site scripting (XSS) vulnerability in Zoneminder 1.30 and earlier allows remote attackers to inject arbitrary web script or
<= 1.30.0
Cross-site scripting (XSS) vulnerability in Zoneminder 1.30 and earlier allows remote attackers to inject arbitrary web script or
<= 1.30.0
A file disclosure and inclusion vulnerability exists in web/views/file.php in ZoneMinder 1.x through v1.30.0 because of unfiltered
all versions
ZoneMinder v1.30 and v1.29, an open-source CCTV server web application, is vulnerable to CSRF (Cross Site Request Forgery) which a
all versions
Multiple reflected XSS vulnerabilities exist within form and link input parameters of ZoneMinder v1.30 and v1.29, an open-source C
all versions
Information disclosure and authentication bypass vulnerability exists in the Apache HTTP Server configuration bundled with ZoneMin
all versions
Multiple directory traversal vulnerabilities in ZoneMinder 1.24.x before 1.24.4 allow remote attackers to read arbitrary files via
all versions
includes/functions.php in ZoneMinder Video Server 1.24.0, 1.25.0, and earlier allows remote attackers to execute arbitrary command
all versions
ZoneMinder 1.23.3 on Gentoo Linux uses 0644 permissions for /etc/zm.conf, which allows local users to obtain the database username
all versions
ZoneMinder 1.23.3 on Fedora 10 sets the ownership of /etc/zm.conf to the apache user account, and sets the permissions to 0600, wh
<= 1.23.3
Unspecified "Command Injection" vulnerability in ZoneMinder 1.23.3 and earlier allows remote attackers to execute arbitrary comman
<= 1.23.3
Multiple cross-site scripting (XSS) vulnerabilities in ZoneMinder 1.23.3 and earlier allow remote attackers to inject arbitrary we
<= 1.23.3
SQL injection vulnerability in zm_html_view_event.php in ZoneMinder 1.23.3 and earlier allows remote attackers to execute arbitrar
all versions
ZoneMinder before 1.23.3 allows remote authenticated users, and possibly unauthenticated attackers in some installations, to execu
all versions
Buffer overflow in the zms script in ZoneMinder before 1.19.2 may allow a remote attacker to execute arbitrary code via a long que