CVE-2025-65791

NameCVE-2025-65791
DescriptionZoneMinder v1.36.34 is vulnerable to Command Injection in web/views/image.php. The application passes unsanitized user input directly to the exec() function. NOTE: this is disputed by the Supplier because there is no unsanitized user input to web/views/image.php.
SourceCVE (at NVD; CERT, ENISA, LWN, oss-sec, fulldisc, Debian ELTS, Red Hat, Ubuntu, Gentoo, SUSE bugzilla/CVE, GitHub advisories/code/issues, web search, more)

Vulnerable and fixed packages

The table below lists information on source packages.

Source PackageReleaseVersionStatus
zoneminder (PTS)bullseye1.34.23-1vulnerable
bookworm1.36.33+dfsg1-1vulnerable
trixie1.36.35+dfsg1-1vulnerable
forky, sid1.36.37+dfsg1-1vulnerable

The information below is based on the following data on fixed versions.

PackageTypeReleaseFixed VersionUrgencyOriginDebian Bugs
zonemindersource(unstable)(unfixed)unimportant

Notes

https://github.com/rishavand1/CVE-2025-65791
Only supported for trusted users/behind auth
Search for package or bug name: Reporting problems