A second‑order SQL Injection vulnerability exists in ZoneMinder, a free open‑source closed‑circuit television platform. The flaw resides in the getNearEvents() routine within web/ajax/status.php. Although event Name and Cause values are inserted into the database using parameterized queries, the same stored data is later concatenated unescaped into SQL WHERE clauses during retrieval. This allows an attacker who can authenticate and possess Events edit and view rights to inject arbitrary SQL statements and thus read, modify, or delete data in the database. The attacker gains direct control over database queries but does not obtain code execution or local privileges beyond the database context.

The issue affects ZoneMinder 1.36.37 and earlier, as well as 1.37.61 through 1.38.0. Administrators should verify that their deployments fall within these version ranges. The vulnerability is present in the web interface’s status.php file and can be exploited by any user with the appropriate permissions, regardless of network location.

With a CVSS v3 score of 8.8, the flaw is classified as high severity. The EPSS score is below 1 %, suggesting a low probability of attack at present, and the vulnerability is not listed in CISA’s Keystone Exploited Vulnerabilities catalog. Exploitation requires authentication and specific event‑editing privileges, limiting the attack surface to privileged users. Nonetheless, once active, the attacker could compromise the integrity and confidentiality of the ZoneMinder database and potentially disrupt surveillance functionality.