Description
ZKTeco ZKBioSecurity 3.0 contains multiple reflected cross-site scripting vulnerabilities that allow attackers to execute arbitrary HTML and script code by injecting malicious payloads through unsanitized parameters in multiple scripts. Attackers can craft malicious URLs with XSS payloads in vulnerable parameters to execute scripts in a user's browser session within the context of the affected application.
Published: 2026-03-15
Score: 5.1 Medium
EPSS: < 1% Very Low
KEV: No
Impact: Reflected Cross‑Site Scripting
Action: Patch Update
AI Analysis

Impact

ZKTeco ZKBioSecurity 3.0 contains several reflected cross‑site scripting weaknesses that allow an attacker to inject arbitrary HTML and JavaScript code by supplying malicious payloads in unsanitized URL parameters. When a user visits a crafted URL, the application echoes the malicious input without proper filtering, enabling the attacker to run code in the victim’s browser within the context of the affected application.

Affected Systems

The vulnerability affects ZKTeco Inc.’s ZKBioSecurity 3.0 system. No additional version qualifiers are provided in the advisory.

Risk and Exploitability

The CVSS score of 5.1 indicates a moderate risk. Exploitation is possible only when a user accesses a specially crafted web URL, meaning it is a remote web‑based attack. The EPSS score of less than 1% suggests that the likelihood of exploitation is low at present, and the vulnerability is not listed in the CISA KEV catalog. The potential impact is confined to the victim browser session, where an attacker could execute arbitrary code, steal session information, or deface the application’s UI.

Generated by OpenCVE AI on March 21, 2026 at 14:38 UTC.

Remediation

No vendor fix or workaround currently provided.

OpenCVE Recommended Actions

  • Apply the latest vendor patch for ZKTeco ZKBioSecurity 3.0
  • If a patch is not yet available, configure a web application firewall or input‑validation rules to block malicious script inputs
  • Verify that the application no longer reflects unsanitized parameters by testing it with known XSS payloads

Generated by OpenCVE AI on March 21, 2026 at 14:38 UTC.

Tracking

Sign in to view the affected projects.

Advisories

No advisories yet.

History

Mon, 16 Mar 2026 15:15:00 +0000

Type Values Removed Values Added
Metrics ssvc

{'options': {'Automatable': 'no', 'Exploitation': 'poc', 'Technical Impact': 'partial'}, 'version': '2.0.3'}

Mon, 16 Mar 2026 10:15:00 +0000

Type Values Removed Values Added
First Time appeared Zkteco
Zkteco zkbiosecurity
Vendors & Products Zkteco
Zkteco zkbiosecurity

Sun, 15 Mar 2026 14:00:00 +0000

Type Values Removed Values Added
Description ZKTeco ZKBioSecurity 3.0 contains multiple reflected cross-site scripting vulnerabilities that allow attackers to execute arbitrary HTML and script code by injecting malicious payloads through unsanitized parameters in multiple scripts. Attackers can craft malicious URLs with XSS payloads in vulnerable parameters to execute scripts in a user's browser session within the context of the affected application.
Title ZKTeco ZKBioSecurity 3.0 Multiple Reflected XSS Vulnerabilities
Weaknesses CWE-79
References
Metrics cvssV3_1

{'score': 6.1, 'vector': 'CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:C/C:L/I:L/A:N'}

cvssV4_0

{'score': 5.1, 'vector': 'CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:A/VC:N/VI:N/VA:N/SC:L/SI:L/SA:N'}

Subscriptions

Zkteco Zkbiosecurity
cve-icon MITRE

Status: PUBLISHED

Assigner: VulnCheck

Published:

Updated: 2026-03-16T14:20:20.593Z

Reserved: 2026-03-15T12:36:42.720Z

Link: CVE-2016-20027

cve-icon Vulnrichment

Updated: 2026-03-16T14:17:52.318Z

cve-icon NVD

Status : Deferred

Published: 2026-03-16T14:17:49.117

Modified: 2026-04-15T14:56:45.970

Link: CVE-2016-20027

cve-icon Redhat

No data.

cve-icon OpenCVE Enrichment

Updated: 2026-03-23T14:01:49Z

Weaknesses