Zoneminder changelog

Changelog History

Page 1

• v1.38.3 Changes

  May 27, 2026

  🚀 ZoneMinder 1.38.3 Release Notes

  🚀 This is a maintenance release that includes security fixes, crash and memory-safety fixes, and a wide range of bug fixes for ZoneMinder 1.38.

  Note : 1.38.3 supersedes 1.38.2. The 1.38.2 tag was created but its
  🏗 > Debian package builds hit a cross-distro orig.tar.gz upload conflict
  (each distro built its own non-deterministic upstream tarball; mini-dinstall
  marked most distros as "incomplete"). Switching the Debian source format
  to 3.0 (native) for 1.38.3 eliminates the shared-orig requirement entirely.
  👷 > Apart from the source format and a few CI fixes, the content is identical
  to what 1.38.2 would have shipped.

  Key Highlights

  🔒 🔒 Security & Hardening

  • API privilege escalation (RCE) - Added System=Edit RBAC checks to ConfigsController edit/delete and hardened ffmpeg path handling in Event.php
  • GHSA-g66m-77fq-79v9 - Sanitized monitor Device path to prevent command injection
  • GHSA-745h-vg7c-73cg - Escaped URLs in camera probe wget() to prevent command injection
  • eval()-based RCE in filters - Replaced eval() in FilterTerm SystemLoad/DiskPercent/DiskBlocks evaluation with a safe compare() method and operator allowlist
  • Command injection - Hardened onvifprobe.php, zmvideo.pl invocation, MonitorsController zmu calls, HostController du, event export, and download/export pipelines with escapeshellarg() and input sanitization
  • SQL injection - Validated FilterTerm operators and collate, intval'd AlarmedZoneId/monitor IDs, restricted getFormChanges column keys, dbEscape'd MIME fields
  • SSRF - Restricted image.php proxy URL scheme to http/https only
  • XSS sanitization series - Removed reflected user input from add_monitors, device, event, events, log, and filterdebug AJAX sinks; sanitized export filename/connkey at the AJAX boundary; suppressed raw SQL error text in events ajax responses
  • Auth hash bypass with reverse proxy - HTTP_X_FORWARDED_FOR is now used consistently in both PHP and C++ auth-hash validation when AUTH_HASH_IPS is enabled
  • Reverse-proxy username handling - Auth relay now carries the username so zms validates against the indexed Username column instead of brute-iterating users
  • ⬆️ Bumped firebase/php-jwt from 6.0.0 to 7.0.0

  🐛 Crash & Memory Safety

  • 🆓 VideoStore use-after-free - filename is now held by value; destructor guards against null oc when open() bailed early (refs #4757)
  • MonitorStream segfault - Added monitor mutex to block shared-memory access during loadMonitor() remap; bail early when monitor failed to load
  • MPEG stream codec failure - Prevented segfault when the codec fails to open
  • MonitorLink fd leak - connect() now calls disconnect() first, avoiding "Too many open files" under repeated reconnect attempts
  • VideoStore fd/codec leaks - Free video_out_ctx after failed avcodec_open2; clean up codec/hw_device contexts on setup_hwaccel failure; skip flush_codecs when no frames were sent
  • Daemon FD reuse memory corruption - Daemonization now redirects stdin/stdout/stderr to /dev/null instead of closing them, avoiding libx264 writing into a reused stderr FD
  • Null pointer guards - StorageId in Monitor::Load, ModelId in Monitor::Model(), evtStream element, monitor div in video-stream.js
  • Empty events in ONDEMAND mode - Removed write-index guard that caused rapid Pause/Play cycling and ~2 empty events per second

  🎯 ONVIF Improvements

  • Subscription cleanup before re-Subscribe - Stops the NotAuthorized loop caused by leaked pull-point slots on Hikvision/Reolink cameras
  • OOB read on negative gsoap codes - Replaced SOAP_STRINGS[] array with a switch covering the codes seen in practice (SOAP_EOF, network/SSL block, SOAP_STOP) (fixes #4842)
  • Credential fallback chain - Falls back to Monitor ONVIF_Username/Password then Monitor User/Pass when ControlAddress lacks auth
  • 'Use ONVIF' badge - Only displayed on the console when the listener is actually enabled

  🎥 Recording & Playback Correctness

  • AV_NOPTS_VALUE handling in VideoStore - Synthesizes monotonic DTS for video passthrough; reorder queue and audio first-DTS no longer compare AV_NOPTS_VALUE sentinels
  • DTS backward jump detection - FfmpegCamera now triggers reconnect on >10s DTS rollback, ending the minutes-long warning storm after stream restarts
  • Event end time - Derived from StartDateTime + Length when EndDateTime is missing (crashed/killed zmc), so montage review no longer paints a bar across hours of down-time
  • incomplete.mp4 playback - C++ handler, view_video.php, and image.php now load incomplete event files; mp4 export end-timestamp fixed for multi-event downloads (closes #4767, #4774)
  • 📜 HTTP Range header parsing - Correctly handles bytes=start-end, bytes=start-, and bytes=-suffix; fixes ERR_CONTENT_LENGTH_MISMATCH on HEVC mp4 playback in Chrome (fixes #4777)
  • Content-Range header - Added missing dash separator
  • Event::delete deadlock retry - Wraps the delete transaction in READ COMMITTED with rollback + retry on errno 1213 instead of committing through the deadlock
  • Polygon fill - Scan-line fill now steps active edges by pairs, fixing non-convex zones whose concave gaps were incorrectly marked inside the zone
  • Polygon clamp - Percentage polygons clamp to width-1/height-1, stopping spurious "polygon hi_x >= image width" warnings
  • Zone stats percentage - Convert Area from percentage coordinate space (0-10000) to pixel area before calculating percentages
  • alarm_frame_count in ready_count - Stops "Hit end of packetqueue before satisfying pre_event_count" warnings when pre_event_count is 0 but alarm_frame_count is set

  🔐 Authentication & Permissions

  • Role-based stream access - The C++ User class is now role-aware and consults Role_Monitors_Permissions, Role_Groups_Permissions, and User_Roles base permissions, matching the PHP visibleMonitor() logic
  • Stale auth hash on long-running montage - MonitorStream.js refreshes the auth hash before restarting streams on tab visibility change and after the idle modal
  • Auth relay - Username included in relay; empty auth_relay no longer produces double && in zms URLs; warns on user mismatch instead of silently falling back
  • Trigger reliability - zmTriggerEventOn now writes trigger_state last, fixing a ~1/3 trigger acceptance rate

  🏗 🏗️ Build & PHP 8

  • Debian source format → 3.0 (native) - The 1.38 line now ships native source packages instead of 3.0 (quilt). Eliminates the cross-distro orig.tar.gz hash conflict on the build farm; each distro produces a self-contained zoneminder_<VERSION>-<DISTRO>.tar.gz. Invisible to apt/dpkg consumers — affects only the source package layout in the repository.
  • a2enmod rewrite - Debian/Ubuntu postinst now enables mod_rewrite (was incorrectly calling a2enmod cgi), fixing install failures
  • PHP 7 polyfill - str_starts_with/str_ends_with/str_contains polyfilled at the top of functions.php so PHP 7 installs don't fatal on event.php
  • PHP 8 GD handling - imagedestroy() now called conditionally; GDImage memory release forced on PHP >= 8.0
  • www-data video group - Debian/Ubuntu postinst adds www-data to video and dialout groups so zmc can open /dev/video* on fresh installs (refs #4642)
  • 👍 FreeBSD support - Top command parsing fixed for FreeBSD 13.5; /proc/meminfo presence check; removed unnecessary kFreeBSD arch checks; FreeBSD arm build fixes
  • ZM_NO_CURL=ON build - Added HAVE_LIBCURL preprocessor guards throughout zm_monitor.h/cpp and zmc.cpp

  Detailed Changes

  Core Engine

  • 0️⃣ Default ffmpeg decoder thread_count to 2 (roughly halves software 1080p H.264 decode time)
  • 🚤 Flush decoder_queue on decoder thread exit to avoid stale latency offset across reconnect
  • Reset last_write_index in Pause() to restore DECODING_ONDEMAND bootstrap
  • Added CLOSE_DURATION event close mode handling (was silently falling back to CLOSE_IDLE)
  • Event-id latch on linked monitor score detection so brief alarm cycles between analysis ticks are no longer missed
  • ⬇️ Reduced linked monitor reconnect throttle from 60s to 1s
  • 👉 Used +1 instead of +last_duration for equal-DTS fixup

  👍 Camera Support

  • FFmpeg : Use CxxUrl for credential injection (replaces fragile substr-based string manipulation)
  • Reolink : Handle HTTP-to-HTTPS 302 redirect during login (LWP::UserAgent does not follow redirects on POST)
  • V4L2 : Treat ENOTTY like EINVAL when querying JPEG compression options (some drivers return ENOTTY)
  • ➕ Added SSL certificate verification fallback to the base Control class — retries with verification disabled on SSL errors, applies to get/put/post

  🌐 Web Interface & API

  • ⏪ pushState URL state management on the events page so filter state is shareable and browser back/forward restores it
  • 🛠 Mobile layout fixes for monitor config and watch views (CSS specificity on :first-child)
  • Don't blank the screen between events when animations are off
  • 🛠 Alarm/idle border applied only to .imageFeed, not nested img/video elements — fixes extra borders and streams jumping around
  • 🛠 Stream URL state: include port in Server URL methods for port-forwarded setups (fixes #4675); honor explicit port argument in urlToApi single-server case; urlToApi falls back to location.host
  • Thumbnail overlay scale calculated from actual monitor dimensions instead of hardcoded scale=75
  • Montage review playback smoothness, fractional-seconds preserved through mmove/setSpeed, video seek overshoot fix on initial AVSEEK_FLAG_FRAME
  • montagereview cookie stores speed value instead of index; changeFilters guards against NaN from invalid date input
  • 🚚 getTracksFromStream moved to skin.js so it can also be used on recorded events; added Go2RTC variant; restart MSE thread on any appendMseBuffer error (not just QuotaExceededError)
  • VolumeSlider: noUiSlider properly destroyed when switching player or monitor; #volumeControls now always in...

• v1.38.1 Changes

  February 17, 2026

  🚀 ZoneMinder 1.38.1 Release Notes

  🚀 This is a maintenance release that includes bug fixes, performance improvements, and enhancements to ZoneMinder 1.38.

  Key Highlights

  🎯 ONVIF Improvements

  • 🆕 New unified ONVIF control module - Replaces four separate vendor-specific implementations with a single, more robust module
  • Automatic SSL verification fallback for cameras with self-signed certificates
  • 👌 Improved clock drift handling - Configurable timestamp validity window (10-600 seconds) to handle time differences between ZoneMinder and cameras
  • 👍 Better authentication - Fixes for "not authorized" errors caused by clock synchronization issues in ONVIF Event Listener
  • ✅ Direct protocol testing mode - zmcontrol.pl now supports --protocol flag for testing control modules without database access
  • ✨ Enhanced event listener support - Better handling of ONVIF events and subscription renewals

  🐎 🚀 Performance Optimizations

  • Event thread improvements - Uses condition variables instead of sleep for faster response to decoded frames
  • Decoder optimizations - Better queue management and flushing when decoding is no longer needed
  • Persistent blend buffer - Eliminates per-frame allocations in image blending (significant performance gain)
  • ⚡️ Optimized pixel operations - Faster color merging and highlight detection algorithms
  • 👀 Binary search for event seeking - Dramatically faster seek operations in event playback

  🚑 🐛 Critical Bug Fixes

  • Event naming race condition - Fixed events being renamed during recording
  • Memory leaks - Fixed leaks in Event_Tag, blend operations, and hardware frame transfers
  • 🏷 Tag filtering - Fixed "No Tag" (0) and "Any Tag" (-1) filter logic
  • Timezone handling - Proper handling of camera vs. server time zones in event streams
  • SSL verification - Automatic retry without verification for Go2RTC, Janus, and ONVIF connections

  🔧 Stability Improvements

  • Thread safety - Fixed race conditions in analysis, decoder, and event threads
  • Proper cleanup - Events now properly signal termination and wait for threads
  • 👍 Better error handling - Improved handling of codec errors, network failures, and resource exhaustion
  • 🛠 Shared memory fixes - Correct attachment counting and cleanup

  Detailed Changes

  Core Engine

  • 🛠 Fixed decoder queue flushing when decoding mode changes
  • 👌 Improved packet notification system for faster inter-thread communication
  • 👍 Better handling of on-demand decoding modes (KEYFRAMES, KEYFRAMESONDEMAND)
  • Fixed last_write_time updates even when not decoding to prevent monitor stall detection false positives
  • Event threads now use wait_for() instead of sleep for sub-millisecond response times
  • 🛠 Fixed Event destructor to properly stop and join threads before cleanup

  👍 Camera Support

  • FfmpegCamera : Fixed secondary stream credential application
  • LocalCamera : Better error messages for missing /dev devices (systemd PrivateDevices check)
  • LibVNC : Fixed memory allocation error handling
  • LibVLC : Added null pointer checks before stopping player
  • ➕ Added MPEG4 decoder support
  • 🛠 Fixed RTSP stream timeout handling

  Control Systems

  • AxisV2 : Complete rewrite with credential guessing, binary search optimizations, and configuration get/set support
  • Dahua : SSL verification with automatic fallback
  • Uniview : LAPI JSON API support, configuration management, better network probing
  • ONVIF : Unified module replacing vendor-specific implementations
  • Reolink/TapoC520WS : Fixed brightness case sensitivity bug and missing sendCmd calls
  • ✅ All control modules now support direct protocol testing mode

  🌐 Web Interface & API

  • 🛠 Fixed tag filter SQL for special values (0 = No Tag, -1 = Any Tag)
  • 👍 Better handling of Events_Tags table LEFT JOIN null comparison issues
  • 👌 Improved event name updates to preserve user changes during recording

  Database

  • ⚡️ Added migration zm_update-1.38.1.sql to increase ONVIF_Options column from 64 to 255 characters
  • 🏷 Fixed Event_Tag constructor to handle null assigned_by values
  • ⚡️ Async database updates in Event destructor to avoid blocking

  👷 Build System

  • Minimum CMake version raised to 3.12
  • Fixed include directory handling (now uses ZM_INCLUDE_DIRS list)
  • Fixed ZM_STRIP_NEON definition
  • Better handling of add_definitions() vs target_compile_definitions()
  • 🛠 Fixed Perl executable detection (${PERL_EXECUTABLE} instead of hardcoded perl)
  • ✂ Removed duplicate code in CMakeLists.txt

  🔧 Configuration & Logging

  • 🛠 Fixed zm_config.cpp whitespace trimming logic
  • ConfigItem copy constructor now properly copies all fields
  • 👍 Better database command detection (supports MariaDB-native commands like mariadb and mariadb-dump)
  • 👌 Improved logging in multi-server configurations
  • 🛠 Fixed version mismatch handling in zmpkg.pl to warn instead of fatal error

  Scripts & Tools

  • zmcontrol.pl : New --protocol mode for direct control module testing without database
  • ⚡️ zmupdate.pl : Uses findDbCommand() for MariaDB compatibility
  • zmcamtool.pl : Uses findDbCommand() for mysqldump
  • zmonvif-probe.pl : Added events command to check ONVIF event support

  Miscellaneous

  • 🛠 Expanded MacVendors.json with many more camera vendor MAC address prefixes
  • 🛠 Fixed zm_buffer.h null pointer check
  • 🛠 Fixed numerous typos in comments and debug messages
  • 👍 Better error messages throughout the codebase
  • 👌 Improved AGENTS.md developer documentation

  Platform-Specific Changes

  🐧 RedHat/Fedora/Rocky Linux

  • ⚡️ Updated spec file to use mariadb-connector-c-devel instead of mariadb-devel
  • ➕ Added cjson-devel build dependency
  • 🔄 Changed to fedora:43 from fedora:rawhide in CI
  • ➕ Added arp-scan and iproute dependencies
  • 🛠 Fixed systemd conflicts in container builds
  • ➕ Added explicit paths for network tools to avoid systemd PrivateDevices issues
  • ✂ Removed static library packaging per Fedora guidelines

  CI/CD

  • ✂ Removed obsolete CI workflows (Debian Bullseye/Bookworm, Ubuntu Focal, CentOS 8)
  • 🏗 Renamed package build workflows for clarity
  • ⚡️ Updated Fedora build matrix

  ⬆️ Upgrade Notes

  1. Database Migration : Run zmupdate.pl to apply schema changes (ONVIF_Options column expansion)
  2. ONVIF Users : If you have custom ONVIF control configurations, you may want to switch to the new unified "ONVIF" control type for better reliability
  3. Clock Drift Issues : If experiencing ONVIF authentication failures, add timestamp_validity=120 (or higher) to ONVIF Options field ✅ 4. Control Testing : Use new zmcontrol.pl --protocol ONVIF --address user:pass@ip --command get_config for diagnostics

  Contributors

  🚀 This release includes contributions from the ZoneMinder development team and community members who reported bugs, tested fixes, and provided feedback.

  ---

  Full Changelog : 1.38.0...1.38.1

• v1.38.0 Changes

  February 01, 2026

  🚀 ZoneMinder 1.38.x Release Notes

  TL;DR - Key Highlights

  • 🔐 Role-Based Access Control - Enterprise-grade permission system with user roles
  • 🎥 Modern Streaming - WebRTC, Go2RTC, RTSP2Web support with hardware acceleration
  • ⚙️ Monitor Function Redesign - Granular control with separate Capturing, Analysing, and Recording settings
  • ✨ 📡 Enhanced Protocols - ONVIF Events, MQTT, Amcrest API integration
  • 🏷️ Event Tagging - Flexible labeling and organization system
  • 📊 Server Monitoring - Real-time CPU, memory, and performance metrics
  • 🌍 Geolocation - Geographic tracking for events and servers
  • ⚡ Hardware Encoding - GPU acceleration for video encoding

  Overview

  🚀 ZoneMinder 1.38.x represents a major evolution from version 1.36.x, introducing significant architectural improvements, new streaming capabilities, enhanced security features, and extensive monitoring enhancements. This release focuses on modernizing the platform with support for contemporary streaming protocols, implementing enterprise-grade access control, and improving performance and scalability.

  Major Feature Areas

  🔒 1. Advanced User Access Control & Security

  Role-Based Access Control (RBAC)

  • Introduced comprehensive role-based permission system with reusable role templates
  • New database tables: User_Roles, Role_Groups_Permissions, Role_Monitors_Permissions
  • Replaced legacy comma-separated monitor ID strings with normalized permission tables
  • Fine-grained permissions for both monitor groups and individual monitors

  ✨ Enhanced User Management

  • ➕ Added user profile fields: Name, Email, Phone
  • 👉 User-specific montage layouts for personalized dashboards
  • 👌 Improved security controls with private and system configuration flags

  👍 2. Modern Streaming & Multi-Protocol Support

  WebRTC Integration

  • 👍 Janus WebRTC Gateway support with audio streaming capabilities
  • 👍 Go2RTC protocol support for alternative streaming
  • RTSP2Web streaming with WebRTC/MSE/HLS options
  • 🔧 Configurable codec selection and stream profiles

  Hardware-Accelerated Encoding

  • 👍 Hardware acceleration support for video encoding (GPU encoding)
  • 🆕 New encoder configuration options: EncoderHWAccelName and EncoderHWAccelDevice
  • Human-readable codec names replacing integer-based codec selection
  • ⚡️ Optimized encoding for reduced CPU usage

  3. Monitor Function Redesign

  One of the most significant architectural changes in 1.38.x is the redesign of the monitor Function field into three independent control parameters. This provides much more granular control over monitor behavior.

  Legacy Function Field (1.36.x and earlier)

  The traditional Function field was a single enum that controlled all aspects of a monitor's operation:

  • None - Monitor disabled
  • Monitor - Capture video only (no recording, no motion detection)
  • Modect - Motion detection with recording on motion
  • Record - Continuous recording without motion detection
  • Mocord - Continuous recording with motion detection
  • Nodect - Recording on external trigger, no built-in motion detection

  🆕 New Granular Control (1.38.x)

  The Function field has been split into three independent settings, allowing fine-grained control:

  Capturing enum (None/Ondemand/Always)

  • Controls whether the monitor captures video from the camera
  • None - No video capture (monitor effectively disabled)
  • Ondemand - Capture only when needed (e.g., when viewing live or triggered by events)
  • Always - Continuous video capture from the camera

  Analysing enum (None/Always)

  • Controls whether motion detection and analysis is performed
  • None - No motion detection or analysis (equivalent to Monitor or Record modes)
  • Always - Perform motion detection and analysis (equivalent to Modect or Mocord modes)

  Recording enum (None/OnMotion/Always)

  • Controls when video is saved to disk
  • None - No recording (live viewing only)
  • OnMotion - Record only when motion is detected or triggered
  • Always - Continuous recording

  Migration from Legacy Functions

  The database automatically migrates old Function values to the new settings:

  • None → Capturing: None, Analysing: None, Recording: None
  • Monitor → Capturing: Always, Analysing: None, Recording: None
  • Modect → Capturing: Always, Analysing: Always, Recording: OnMotion
  • Record → Capturing: Always, Analysing: None, Recording: Always
  • Mocord → Capturing: Always, Analysing: Always, Recording: Always
  • Nodect → Capturing: Always, Analysing: None, Recording: OnMotion

  Benefits of the New Design

  • 🔧 More flexible monitor configurations (e.g., analyze but don't record, or record without analysis)
  • 👍 Better resource management by independently controlling capture, analysis, and storage
  • Clearer separation of concerns for troubleshooting
  • Foundation for future enhancements like conditional recording policies
  • Easier to understand monitor behavior at a glance

  4. Enhanced Camera Integration

  👍 Extended Protocol Support

  • ONVIF Event Listener for direct camera event notifications
  • 👍 Amcrest API support for Amcrest-branded cameras
  • MQTT integration for IoT device communication and message handling

  Camera Management

  • Camera manufacturer and model database integration

  5. Advanced Event Management

  Event Tagging System

  • Flexible event labeling with custom tags
  • Many-to-many relationship between events and tags
  • 👌 Improved event organization and filtering

  Event Automation & Triggers

  • Event start and end command execution
  • Multiple event close modes: system, time, duration, idle, alarm-based
  • ⚠ Section length warnings for long recordings
  • ⏱ Filter execution intervals for scheduled automation

  📇 Event Metadata & Analytics

  • 📇 Event data extensibility with custom metadata storage
  • Geolocation tracking (latitude/longitude) for events
  • ✨ Enhanced event reporting system with historical analytics

  🐎 6. Performance & Infrastructure

  Server Monitoring

  • Comprehensive server statistics tracking
  • CPU usage monitoring (User, Nice, System, Idle percentages)
  • Memory and swap utilization metrics
  • 🐎 Timestamped performance data collection

  Optimization Features

  • Monitor startup delay to stagger initialization and reduce system load
  • ✨ Enhanced status tracking with update timestamps
  • Analysis image channel optimization (Full Color vs. Y-Channel) (reduces cpu use)
  • 👌 Improved monitor soft delete with logical deletion flags
  • Monitor importance levels (Normal/Less/Not) for stream prioritization
  • 🔀 Wall clock timestamp synchronization when doing passthrough

  7. Display & User Interface

  Montage Enhancements

  • 🔧 Expanded grid layouts: 1/2/4/5/6/7/8/9/10/12/16 Wide configurations
  • 👉 User-specific montage layouts with personalized views
  • options to locate/hide status information to fully use space

  Playback Improvements

  • 0️⃣ Default player selection for preferred streaming client
  • ✨ Enhanced video playback controls
  • 👌 Improved event viewing experience
  • Optimal mjpeg scaling to reduce cpu/bandwidth use while maintaining fidelity

  ** New file explorer view **

  • limited to defined storage areas

  ** Watch and Cycle views merged **

  • PTZ controls improved, with toggling of visibility

  8. Storage & Recording

  Granular Recording Control

  👀 With the redesign of the monitor Function field (see section 3), recording behavior is now controlled independently through the Recording, Capturing, and Analysing settings. This provides much greater flexibility:

  • Recording modes : None/OnMotion/Always
  • Capturing modes : None/Ondemand/Always
  • Analysis modes : None/Always

  🔧 This allows configurations that weren't possible with the old Function field, such as:

  • Capture and analyze without recording (for alerting only)
  • Record without analysis (for compliance/archival)
  • On-demand capture with triggered recording

  Email Notifications

  • Email format options: Individual or Summary
  • 👌 Improved event notification formatting
  • 🔧 Configurable alert delivery

  📇 9. Geographic & Metadata Features

  👍 Geolocation Support

  • Geographic coordinates for monitors, events, and servers
  • Location-based event tracking and analysis

  10. Development & Integration

  Database Schema Evolution

  ⚡️ The 1.37.x series includes approximately 79 database schema updates from 1.37.1 through 1.37.79, each introducing targeted improvements and new capabilities. Key architectural changes include:

  • 🔧 Migration from string-based configuration to normalized relational tables
  • 📇 Introduction of extensible metadata storage systems
  • ✨ Enhanced foreign key relationships for referential integrity
  • 👌 Improved indexing for query performance

  ⬆️ Upgrade Considerations

  💥 Breaking Changes

  • Permission system migration from comma-separated strings to normalized tables
  • 🔧 Some configuration parameters have been renamed or restructured
  • ⚡️ Monitor soft delete may require updates to custom scripts that query monitor data

  Compatibility

  • 🔖 Version 1.36.x is still supported alongside 1.38.x (see SECURITY.md)
  • ⚡️ Database upgrades are handled automatically via update scripts
  • ⬆️ Backup your database before upgrading

  System Requirements

  • Hardware acceleration features require compatible GPU and drivers
  • 🔧 WebRTC streaming may require additional server configuration
  • MQTT integration requires MQTT broker setup

  👍 Community & Support

  📚 For detailed documentation, visit: https://zoneminder.readthedocs.org

  • Issue Tracker : https://github.com/ZoneMinder/ZoneMinder/issues
  • Forums : https://forums.zoneminder.com
  • Slack : https://zoneminder-chat.slack.com/
  • Discord : https://discord.gg/tHYyP9k66q

  Acknowledgments

  🚀 This release represents the collaborative effort of the ZoneMinde...

• v1.36.38 Changes

  February 19, 2026

  • 🛠 Fix Secondary Order SQL Infection in via Stored Event Name and Cause Fields. Fixes GHSA-r6gm-478g-f2c4

  • 🛠 Fix formatters for 64bit values. Fixes #4580

  • ➕ Add libjson-xs-perl to deps in the hopes of fixing noble dependency issues

  • Only set timezone if it is set in config.

  • ➕ Add defaults for Type and Scheme in perl Storage object code to prevent warnings in logs due to undefined values

  • Set tz in Date::Manip so that returned unixdate from '-1 hour' is in the current timezone, not UTC

  • 🛠 Fix default zone creation to account for monitor rotation

  • 🛠 FIx %ld is used for time_t Fixes #4516

  • Improve handling of ZM_DB_TYPE

  • 🗄 Only set auto_reconnect if mysql. mariadb uses a different name, and it is all deprecated anyways.

  • ➕ Add libpcre2-posix2 for focal

  • 🔀 Merge v4l2 fixes due to breakage in kernel 6.17

  Full Changelog : 1.36.37...1.36.38

• v1.36.37 Changes

  December 22, 2025

  🔄 Changes since 1.36.36

  • 🛠 Fix building against FFmpeg 8.0
  • 🌲 Warn=>Debug for first_dts logging
  • 🛠 Fix for setting directory permissions in newer debian
  • 🗄 Use libpcre2 instead of deprecated libpcre3
  • Updates to do_debian_package.sh
  • In zmaudit.pl die if we fail to resurrect an event. Delete events with id 0
  • 🐎 Drop various foreign keys around Events table. We do this in 1.37 for performance/locking reasons. We are doing it here for zmrecover.pl
  • ➕ Add EXPLAIN output to filter debug
  • 📄 docs readthedocs fixes
  • ➕ Add net-tools for arp, pkexec, libuuid and remove libjson-xs-perl to debian dependencies
  • 🔧 Small fix for Apache virtual server configuration instructions.
  • 🏗 deprecate packpack based builds
  • 🛠 Fix for zmrecover.pl due to LinkPath using a 2 digit year not 4 in Deep Storage
  • 👌 Improve the error message to indicate mysql library instead of client binaries
  • 🛠 Fix for API events
  • ➕ Add deps for oracular, noble, trixie
  • ⚡️ Update telemetry url, add timezone to data
  • Correct escaping of \n\r and ' characters when escaping config entries on javascript side

  Full Changelog : 1.36.36...1.36.37

• v1.36.36 Changes

  October 03, 2025

  🔄 Changes since 1.36.35

  • 🛠 Fixup deletePath. Handle links, and report failures. Fix escaping the filename and put it in quotes in case it has spaces. Fixes #4446
  • ➕ add build support for debian trixie
  • Check for existence of modal before including it.
  • 🛠 Trim any trailing / from storage path. Can cause problems Fixes #4371
  • ✂ Remove 100 limit on response to events index in api. Handle there not being a next or prev neighbour.
  • Fix deprecated AVCodecContext::channel_layout to use ch_layout
  • 🛠 Fix sorting by Storage in events
  • 👉 Make events list sortable by Storage
  • 🛠 Fix adding rotation when not needed.
  • 🛠 Use translated yes instead of 'yes'. Fixes #4270
  • Populate status of monitors with Function=None to "Not Running"
  • 🛠 Use validJsStr to escape things needed for config entries. Fixes GHSA-c7hj-fxh6-8g8j
  • 🖐 Handle when an invalid ServerId is specified in the Monitor
  • ➕ Add support for Ubuntu oracular
  • ✂ Remove code that converts to mono audio
  • WHen encoding use AV_TIME_BASE_Q for output stream as well. Always calculate duration from pts instead of from potential input frame duration.
  • ➕ Add Support for the AV1 Codec
  • 0️⃣ If ffmpeg can't figure out the sie of the stream, default to what we entered in monitor.
  • ➕ Add readthedocs.yaml from master will hopefully fix docs building which has been broken for some time.
  • 🛠 Fixes to stream scaling
  • Montage: Fix width and height not persisting. Check for valid value instead of validInt because we have px on the end. Clear cookie if not valid
  • 🛠 Fix lack of support for rotation in ffmpeg 5.1 onwards
  • ⚡️ Update bootstrap-table to 1.23.5
  • 🛠 Fix not being able to sort by EndDateTime Fixes #4190
  • 👍 Allow deselecting of all Monitor IDS
  • Disable reorder queue if doing encoding
  • ✂ Remove the modal content so that when choosing another group or new we get that instead of the first content
  • destroying then re-applying chosen for some reason auto-selects all options. Fix the problem by fixing the table width with css so that the underlying select is already 100%.
  • Set any tables in a modal to 100% so that they fill the modal.
  • If no group id don't do sql lookup
  • Give an id to the newGroup[MonitorIds] select can look it up more efficiently when applying chosen rules
  • ⚡️ Don't bother making the UpdatedOn file NOT NULL by update. We don't actually care. Fixes #4180
  • Don't warn about no locale set, that is normal
  • Clean out duplicated datetimeformatter stuff that happens in config.php
  • 🛠 Check for validity of locale. Handle fatal crash when setting datetiemformatter when an invalid locale is used. Fixes #4179
  • ➕ Add missing n breaking Date Formatter use
  • ➕ Add support for no sort field. No longer default to StartDateTime (makes filter sql more efficient)
  • Only require Date::Manip if using strtotime
  • 👉 Make NULL be case-insensitive in filters
  • ➕ Add checking of keyframeinterval to Ready()
  • Only calculate keyframe interval using video stream
  • 🛠 Fix again the infinite loop in counting keyframes
  • Count keyframes on queuePacket so that analysis Ready() will start when out of order packets are present
  • 🖐 Handle change of res/colours in zms by reloading the monitor object.
  • 🛠 Fix crash due to trying to access event->StartTime when there is no event
  • Revert change of tot_score and avg_score to unsigned ints. Make them ints so that comparison with other scores is ok

• v1.36.35 Changes

  October 22, 2024

  🔄 Changes since 1.36.34

  • 🏗 Merge in auto package building using github ci
  • ⚡️ On upgrade, always attempt re-applying the last db update. This helps when running proposed ppa
  • Only use fps_report_interval for the logging of fps updates. Always update the db. This fixes cameras being listed as offline despite being fine due to a very long fps update interval
  • ⚡️ Track Monitor_Status and FPS logging times separately. Update db every 10seconds.
  • Don't output the boundary if we aren't streaming. Single jpegs don't need it and something was complaining about it
  • Only output 403 status if not nph

  - ➕ add MariaDB to docs

  • more ffmpeg5 deprecations

    • 🗄 Handle ffmpeg6 deprecating (renaming) pkt_duration
    • 🛠 ffmpeg7 fixes
    • ➕ add logging of stream index in debug code
    • ✂ Remove deprecated reconnect setting for mysql
    • Auto reconnect when mysql is lost
    • Replace deprecated mysql_ssl_set with mysql_options()
    • ➕ Add getting the connection id from mysql and log it in zmDbDo. This is so that when mysql reports a dropped connection, we can figure out which process it was.
    • ➕ Add debugging of db failures
    • 🛠 If an invalid port is specified, don't actually start the rtp threads. They don't get used in RTP/RTSP. Fixes [#3759]
    • Default end_time to start_time on event creation so that we don't get a negative duration
    • Don't start max score at -1 as that is not a valid value for the db.
    • ➕ Add support for DateTime and Server advsearch filters
    • Remove reorder_queue_size from output options to prevent logging
    • Add event->Duration and use it when considering min_section_length because the first keyframe may have been quite a while ago and we can end up closing an empty event.
    • ✂ Remove default of NOW from UpdatedOn in Monitor_Status field because old mysql can't handle it. Explicilty set it in zmc. Fixes [#4155]
    • 🛠 Use htmlspecialchars on Message to prevent Stored Cross-Site Scripting. Fixes GHSA-rqxv-447h-g7jx
    • 🛠 Fix crash in api when auth is turned off and you try to log in
    • ➕ Add End Date Time and None as options for sorting in filters, which allows us to create more efficient SQL queries.
    • 🛠 Fix labelling for defaultCodec, as it is used for event viewing, not live view.
    • Only show location tab when GEOLOCATION is turned on
    • 🛠 Fix zone edit image jumping around when status is alert
    • 🖐 Handle change of res/colours in zms by reloading the monitor object.
    • Count keyframes on queuePacket so that analysis Ready() will start recording when there are enough packets in queue.
    • 👉 Make NULL be case-insensitive in filter rules

  Full Changelog : 1.36.34...1.36.35

  🔒 A lot of back ports from 1.37. One security vulnerability fix. The main thrust was the mysql and ffmpeg deprecations. All users are encouraged to upgrade.

  ⚡️ Updating the sort field on your filters can have a significant effect on mysql cpu/ram use. For example the Update Disk Space filter defaults to sorting by StartDateTime or ID which makes mysql not use the index on EndDateTime and DiskSpace. Since we don't care about the order we act on results, we don't need to sort at all. So on a large database this query can go from hitting every row in the table, to almost none.

• v1.36.34 Changes

  August 12, 2024

  🔄 Changes since 1.36.33

  • 🛠 fix mouseEvent property names, allowing zooming into recorded events
  • 🗄 Handle ffmpeg5 channel deprecations
  • ➕ add debian Add bookworm support
  • ➕ add Help text for OPTIONS_ALARMMAXFPS
  • ✂ remove Remove chowning /usr/share/zoneminder from docs.
  • 📄 docs: Spelling, fix missing db in database create for bullseye, add bookworm instructions
  • 🌲 Clean up help text for ZM_LOG_DEBUG_FILE to not say that it can include a directory. It should be JUST a filename.
  • 🌲 Do not allow directory names in ZM_LOG_DEBUG_FILE. Only log to ZM_LOG_DIR
  • 🐎 Load the ZM::Event using the Event Model data instead of loading by Id which goes back to db for performance (API faster)
  • If no next bulk frame use Event data to estimate the delta to supply an image
  • ✂ remove duplicate event save when updating Disk Space
  • 👍 Allow caching of images in view=image
  • 👌 Improve logging wrt insufficient permissions
  • ⚡️ Update fail2ban.rules
  • Don't show bandwidth options if there are none to choose from
  • ⚡️ Update redhat build docs
  • 🛠 Fix missing auth_relay on alarm xhr
  • 👀 Make objdetect modals 65% width to make it easier to see
  • Don't exit on segfault, perhaps allowing graceful shutdown
  • Switch from utf8 to utf8mb4 so that collation works
  • 🖐 Handle failure to db query more gracefully
  • Transform date string to int to satisfy newer php
  • ➕ Add auth_relay to control command
  • ONVIF: Handle RateControl being undef
  • 🔒 Restrict mid to a cardinal value. Fixes GHSA-9cmr-7437-v9fj
  • in detaintPath also strip :// because php:// is a way to inject code
  • 🔒 Only allow Events Columns for sort. Fixes GHSA-2qp3-fwpv-mc96. Fixes GHSA-9cmr-7437-v9fj
  • 👉 Use https proxy instead of http since we now access an https url
  • 🛠 Fix Auto Unarchive not deselecting
  • 🛠 define count. Fixes #3799
  • ➕ Add quotes around dbUser and dbPass to prevent command injection in zmcamtool.pl and zmupdate.pl
  • If group is empty, return false for canview so that it doesn't appear in dropdowns etc.
  • Only show groups that we can view
  • ⏪ Revert change to cookie and cookie expire to fix loss of bootstrap table preferences. Add samesite
  • Info to Debug for login.
  • 🗄 API: Always return an array in getCredentialsDeprecated
  • API: Don't try to do auth if auth is turned off
  • When ZM_AUTH_HASH_IPS is off, don't use remote ip in storing auth hash in session. If ips are constantly changing it breaks.
  • API: Don't assume findByEventidAndType actually returns a frame. If we are only recoridng, then there will be no alarm frames in the db
  • 👉 Make view does not exist an error instead of fatal
  • 🗄 Handle ffmpeg 7 deprecations
  • Set fps and bandwidth to 0 on start and stop of zmc.
  • When editing buffer settings, ensure that MaxImageBuffers > PreEventCount.
  • 🛠 Use either version or version.txt. Fixes #3798
  • 🆓 clear packet images even when there is an event, because we send it to the event, which will use the images and so we don't need them anymore. ALso free analysis images even when not passthrough.
  • Set default value for rows per page using WEB_EVENTS_PER_PAGE. Fixes #3728
  • When save cookies via PHP >= 7.3.0, add handling of the "path" value in the options (session.php)
  • 🔄 Change save button to a regular button that calls validateForm and don't set form.subit to validateForm. ValidateForm will now alert and switch tabs to better inform what the incorrect value is. Built-in validation doesn't work due to tabs and the invalid input not being focusable
  • ⚡️ Add UpdatedOn field to Monitor_Status and update it when updating Monitor_Status
  • ✂ Delete Monitor_Status records that havn't been updated in over a minute
  • 🔒 Sanitise displayinterval,speed and scale parameters. Fixes GHSA-pjjm-3qxp-6hj8
  • 🔒 Sanitise filter[Id] when parsing filter. Fixes GHSA-6rrw-66rf-6g5f
  • 🚚 Move code to shutdown the process properly into exit_zms and use it when auth fails. The stops a segfault.
  • Limit scale to 16x mainly to put an upper bound on the amount of ram we might use.
  • Limit scale in montagereview to 1.1 to prevent requesting images larger than 100%
  • ➕ Add dependencies for ubuntu noble
  • 🆓 Redo the event thread. Instead of analysis adding packets to an event specific queue, just pass in the iterator and let the event thread do it's own locking. This allows us to free ram in packet in the event, and not segfault.
  • move image_count to shared mem. Use it in monitorstream to detect when last_write_time % buffer_count hasn't changed, but there is in fact a new image. Should improve streaming when ImageBufferCount<=3. Should allow = 2.
  • Reset last_capture_image_count in connect so that we don't get negative fps reports and possible floating point exceptions
  • 🌲 Don't log failure to get packet. Can only happen when stopping the packetqueue.
  • 🖐 Handle non increasing timestamps from ffmpeg
  • 👀 Use last duration instead of 1 when adjusting dts when non-monotonic. Some googling indicates this might be a better approach. What I am seeing with a tapo C520WS agrees.
  • Update charset header in ja_jp.php from Shift_JIS to UTF-8
  • 🚀 Always re-apply the latest update. Mainly because sometimes Isaac forgets to add the zm_update file when bumping versions, also in release branches, we increment version before release. zm_update scripts are always supposed to be re-runnable.
  • Limit segfaults to 1
  • Put swap file File::find into an eval because it can die in zmaudit.pl
  • Put back code that looks for iterators when cleaning packet queue. event thread can now have an iterator that follows analysis
  • Sometimes the initial keyframe packet will have AV_NOPTS for pts and dts. When this happenes, set last_dts to -1 instead of 0, so that when the next packet comes in and sets the first_dts value, the resulting dts will be 0 which is > -1.
  • ⚡️ Update debian.rst, enable autostart of ZM at boot
  • 🔊 If the css in cookie is invalid, clear it so that the logs don't fill up with the warnings
  • 🌲 Don't log error when ignoring action if it is an ajax request
  • 🛠 Handle more than one level of output buffering when cleaning and ending them so we can send the video file so we don't run out of ram. Fixes #4110

  Full Changelog : 1.36.33...1.36.34

• v1.36.33 Changes

  February 24, 2023

  🔄 Changes since 1.36.32

  • 🔒 Sanitise attr input in FilterTerm to prevent SQL Injection. Fixes GHSA-222j-wh8m-xjrx
  • ➕ Add object-src CSP directive to help prevent XSS
  • db: Add helper for escaping strings and use it on username retrieved from jwt to prevent SQL injection
  • 👉 use detaintPath on modal to prevent including other files instead of real modals
  • Check for valid date in minTime and maxTime to prevent SQL attack
  • Introduce check_datetime function to validate dates
  • Attempt to sanitize daemon and arguments before executing commands to prevent executing other programs.
  • 👉 Use validCardinal on MonitorId when creating snapshots to prevent executing other commands
  • Adjust size of text inputs MonitorName and Source Path Filters to match chosen inputs
  • ✅ test for existence of username in session to prevent error outputs when using AUTH_RELAY=plain
  • 🚚 Move actions process to after the unauth check to prevent actions happening when unathentication
  • 🛠 Fix detaintPath not stripping sequences like ..././
  • 🛠 Escape <> in log messages to prevent html shenanigans. Fixes [#3596]
  • ⚡️ Don't start the statusCmdQuery on streaming start, because it is used when doing still updates. If we start it too fast, zms may not have started yet, causing errors in logs about zms
  • 🛠 Set a short expiry 1min and set the cookie name to include the filter so that each and every filter gets it;s own pagination saved. Fixes [#3510]
  • 👉 Use reload instead of restart on zone save
  • ➕ Add reload to monitor zmcControl
  • 🛠 Stop streams when clicking cancel/Save so that we don't log errors trying to access a dead zms. Fixes [#3643]
  • ➕ Adding :80 to address is not worthy of an Error log, fixes warnings in logs from various PTZ scripts
  • ➕ Add a sleeping flag so that when we get sigterm, we can just exit instead of returning to the sleep. Speeds up zoneminder shutdown
  • 🛠 fix format endtime on events list on watch view
  • 💻 Include command line in debug output when generating images
  • 🛠 Fix missing/corrupted pre-alarm frames in recording. Fixes #3656
  • ✂ Remove test for Enabled on monitor. Motion detection being disabled has nothing to do with manual triggering. Fixes [#3657]
  • 👍 Allow viewing of events whose Monitor[Function]=None
  • ✂ Remove stripslashes when saving config values. The values in REQUEST have not been escaped, so strip slashes is not appropriate. Fixes [#3655]
  • 💅 Apply chosen styles to dropdowns in Options, allowing text search
  • Queue packets instead of packet locks in event thread. Since we are using std::shared_ptr and not modifying the packet, should not need locking. Also, locking in one thread and unlocking in another is apparentlyundefined behaviour and doesn't work infreebsd.
  • 🛠 fixes for freebsd
  • 🛠 Don't wait for decode in Analyze, fixes some hangups on logrotate/shutdown
  • 🛠 Hide timestamp caption from bottom of video.js event view. It serves no purpose. Fixes [#3488]
  • ➕ Add 2>&1 to command to delete event dir so that we get error messages logged.
  • 🚚 Move code from Event to Storage to implement delete_path()
  • ⏱ Use ajax() instead of getJSON with no timeout when deleting events.
  • ⚡️ Update monitor preset view: Use a submit button instead of input with javascript. Remove no longer needed js code. Sort presets by Name.
  • 🛠 Fix saving Server modal. Form was incomplete, action and view were duplicated. Don't need javascript just use the submit button Save.
  • 👌 Improve info when moving event to show source and Dest paths
  • Remove dead code from report_event_audit.js
  • 🚚 Use Y-m-d H:i:s instead of c for date formatting to match what datetimepicker expects. remove unused action input and put view in the get part of form action
  • ➕ Add styles to table headers to left align them to match the body

  🚀 Vulnerabilities address by this release

  🔒 GHSA-h5m9-6jjc-cgmw CVE-2023-26036
  🔒 GHSA-6c72-q9mw-mwx9 CVE-2023-26032
  🔒 GHSA-65jp-2hj3-3733 CVE-2023-26037
  🔒 GHSA-44q8-h2pw-cc9g CVE-2023-26039
  🔒 GHSA-wrx3-r8c4-r24wCVE-2023-2603
  🔒 GHSA-72rg-h4vf-29gr CVE-2023-26035
  🔒 GHSA-222j-wh8m-xjrx CVE-2023-26034
  🔒 GHSA-68vf-g4qm-jr6v CVE-2023-25825

  Full Changelog : 1.36.32...1.36.33

  The bulk of these issues were found during Perfect Blue's 2023 CTF event. https://ctf.perfect.blue/

  Thank you to the participants and thanks for the responsible disclosures. We are stronger for it.

  ⚡️ All users of ZoneMinder < 1.36.33 are hereby EXTREMELY STRONGLY recommended to update.

• v1.36.32 Changes

  November 18, 2022

  🔄 Changes since 1.36.31

  • More properly fix the alarm status api changing. The previous hack broke doing alarm on/off.
  • 🛠 fix handle of SQL generation of IN array when array is empty. Just always return false.
  • 🛠 Fix test for null in Object::find
  • 👉 Make inputs on filter action table 100%
  • 🛠 Fix Warning when monitor is not visible
  • 🛠 Switch to utf8mb4 to support 4 byte unicode Fixes [#3514]
  • 👉 Make search input the same size as other toolbar elements
  • ✂ Remove deprecated CAMBOZOLA references
  • ⚡️ Update Monitor symlinking, improving deleting old link when changing name
  • 🛠 Fix zone deleting and fix an extra comma in default coordinates
  • ➕ Add libswscale6 and libswresample4 dependencies for ubuntu kinetic
  • ✂ Remove return type from session class methods. not supported in php5.4. Fixes breakage on centos7. Fixes [#3622]
  • 🛠 Fix recalculating Event Disk Space a second time when updating.
  • Set xhrFields: withCredentials: true so that we send cookies with our streaming xhr requests so that we pick up new auth hashes
  • ➕ Add Access-Control-Allow-Credentials: true so that we can pass cookies along with xhr requests.
  • ➕ Add Cause, Notes and EndDateTime to available columns in events list on watch view
  • 👉 Make button on Filter Debug modal be Close instead of Cancel
  • 🖐 Handle empty but defined REQUEST[action]
  • replace php Memcached with Apc on Fedora
  • 👍 Allow MonitorName as default sort field as well as Monitor
  • Try out just using connkey as the semaphore key instead of ftok in ajax streaming requests
  • Turn back on error_reporting, just don't display the error in json ajax requests.
  • 🛠 Check for return value of openEvent. Fixes crash when openEvent fails
  • 🛠 Fix infinite recursion in montagereview
  • ➕ Add error message when minTime >= maxTime in montagereview
  • 🛠 Fix crash in zmfilter DiskSpace Update when Event doesn't exist
  • 💅 Make .form-group styles export page specific because they are affecting layout in modals
  • Cleanup the state modal. Fix form post
  • 🛠 Set web backend db connection to utf8 Fixes [#3631]
  • implode the output from zmu to fix php complaint abou array to string

  - 🛠 convert strings into integers before doing math as of php 8.2 Fixes Unsupported operand types: string - int

  Full Changelog : 1.36.31...1.36.32

• 1
• 2
• 3
• 4
• 5
• Next ›
• Last »