Description
ZKTeco ZKAccess Security System 5.3.1 contains a stored cross-site scripting vulnerability that allows attackers to execute arbitrary HTML and script code by injecting malicious payloads through the 'holiday_name' and 'memo' POST parameters. Attackers can submit crafted requests with script code in these parameters to compromise user browser sessions and steal sensitive information.
Published: 2026-03-15
Score: 5.1 Medium
EPSS: < 1% Very Low
KEV: No
Impact: Stored Cross‑Site Scripting that allows arbitrary client‑side code execution
Action: Apply Patch
AI Analysis

Impact

A stored cross‑site scripting flaw in ZKTeco ZKAccess Security System permits attackers to embed malicious HTML and JavaScript by submitting crafted values for the holiday_name and memo parameters. The injected payload is saved and later rendered to any user who views the affected page, enabling attackers to run arbitrary code within the victim’s browser session and obtain sensitive data present on that page.

Affected Systems

This vulnerability affects ZKTeco Inc.’s ZKAccess Security System, version 5.3.1. No other versions are listed as affected in the available data.

Risk and Exploitability

The CVSS score of 5.1 places the issue in the Medium severity range, while an EPSS score of less than 1% indicates a low likelihood of exploitation. The vulnerability is not catalogued in CISA’s KEV catalog. Based on the description, the attack vector is remote, relying on an attacker’s ability to send HTTP POST requests containing malicious payloads to the system’s web interface; this inference is made from the mention of POST parameters."

Generated by OpenCVE AI on March 21, 2026 at 15:06 UTC.

Remediation

No vendor fix or workaround currently provided.

OpenCVE Recommended Actions

  • Apply the vendor patch for ZKAccess Security System as soon as it becomes available.
  • Limit access to the web interface so that only trusted users can submit holiday_name and memo data.
  • Implement input validation and output encoding for all user‑supplied fields to prevent stored XSS attacks.

Generated by OpenCVE AI on March 21, 2026 at 15:06 UTC.

Tracking

Sign in to view the affected projects.

Advisories

No advisories yet.

History

Mon, 16 Mar 2026 15:15:00 +0000

Type Values Removed Values Added
Metrics ssvc

{'options': {'Automatable': 'no', 'Exploitation': 'poc', 'Technical Impact': 'partial'}, 'version': '2.0.3'}

Mon, 16 Mar 2026 10:15:00 +0000

Type Values Removed Values Added
First Time appeared Zkteco
Zkteco zkaccess Security System
Vendors & Products Zkteco
Zkteco zkaccess Security System

Sun, 15 Mar 2026 14:00:00 +0000

Type Values Removed Values Added
Description ZKTeco ZKAccess Security System 5.3.1 contains a stored cross-site scripting vulnerability that allows attackers to execute arbitrary HTML and script code by injecting malicious payloads through the 'holiday_name' and 'memo' POST parameters. Attackers can submit crafted requests with script code in these parameters to compromise user browser sessions and steal sensitive information.
Title ZKTeco ZKAccess Security System 5.3.1 Stored XSS
Weaknesses CWE-79
References
Metrics cvssV3_1

{'score': 7.2, 'vector': 'CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:C/C:L/I:L/A:N'}

cvssV4_0

{'score': 5.1, 'vector': 'CVSS:4.0/AV:N/AC:L/AT:N/PR:L/UI:P/VC:N/VI:N/VA:N/SC:L/SI:L/SA:N'}

Subscriptions

Zkteco Zkaccess Security System
cve-icon MITRE

Status: PUBLISHED

Assigner: VulnCheck

Published:

Updated: 2026-03-16T14:20:19.748Z

Reserved: 2026-03-15T12:37:27.744Z

Link: CVE-2016-20032

cve-icon Vulnrichment

Updated: 2026-03-16T14:17:41.328Z

cve-icon NVD

Status : Deferred

Published: 2026-03-16T14:17:50.097

Modified: 2026-04-15T14:56:45.970

Link: CVE-2016-20032

cve-icon Redhat

No data.

cve-icon OpenCVE Enrichment

Updated: 2026-03-23T14:01:44Z

Weaknesses