RCE (Remote Code Execution) exists in ZoneMinder through 1.36.33 as an attacker can create a new .php log file in language folder, while executing a crafted payload and escalate privileges allowing execution of any commands on the remote system.
https://medium.com/%40dk50u1/rce-remote-code-execution-in-zoneminder-up-to-1-36-33-0686f5bcd370