CVE-2016-20032 MEDIUM

CVE-2016-20032: ZKTeco ZKAccess Security System 5.3.1 Stored XSS

Vendor Zkteco Inc.
Product ZKTeco ZKAccess Security System
Weakness CWE-79 · XSS
Published March 15, 2026
Last update June 8, 2026

CVSS base score

5.1/10
Attack vector Network
Attack complexity Low
Privileges required Low
User interaction
Confidentiality
Integrity

CVSS vector

CVSS:4.0/AV:N/AC:L/AT:N/PR:L/UI:P/VC:N/VI:N/VA:N/SC:L/SI:L/SA:N

What the vulnerability does

01Description

ZKTeco ZKAccess Security System 5.3.1 contains a stored cross-site scripting vulnerability that allows attackers to execute arbitrary HTML and script code by injecting malicious payloads through the 'holiday_name' and 'memo' POST parameters. Attackers can submit crafted requests with script code in these parameters to compromise user browser sessions and steal sensitive information.

Key dates

02Disclosure timeline

March 15, 2026 CVE published
June 8, 2026 Record updated