ALT-PU-2026-3736-2

Package update zoneminder in branch c10f2

Version1.38.1-alt3

Published2026-03-03

Max severityCRITICAL

Severity:

Closed issues (2)

CRITICAL9.8

ZoneMinder v1.36.34 is vulnerable to Command Injection in web/views/image.php. The application passes unsanitized user input directly to the exec() function. NOTE: this is disputed by the Supplier because there is no unsanitized user input to web/views/image.php.

Published: 2026-02-18Modified: 2026-03-11

CVSS 3.xCRITICAL 9.8

CVSS:3.x/CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H

References

https://github.com/rishavand1/CVE-2025-65791

HIGH8.8

ZoneMinder is a free, open source closed-circuit television software application. In versions 1.36.37 and below and 1.37.61 through 1.38.0, there is a second-order SQL Injection vulnerability in the web/ajax/status.php file within the getNearEvents() function. Event field values (specifically Name and Cause) are stored safely via parameterized queries but are later retrieved and concatenated directly into SQL WHERE clauses without escaping. An authenticated user with Events edit and view permissions can exploit this to execute arbitrary SQL queries.

Published: 2026-02-21Modified: 2026-02-24

CVSS 3.xHIGH 8.8

CVSS:3.x/CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H

References

Closed bugs (7)

zoneminder не конвертирует видео в формат 3gp

zoneminder не конвертирует видео в формат 3gp

zoneminder не конвертирует видео в формат 3gp

Failed to start zoneminder.service: Unit janus.service not found.

Failed to start zoneminder.service: Unit httpd.service not found.

zoneminder тянет yarn

После обновления до новой версии не грузит стрим с камеры