High severity7.2NVD Advisory· Published Mar 16, 2026· Updated Apr 15, 2026

CVE-2016-20032

Description

ZKTeco ZKAccess Security System 5.3.1 contains a stored cross-site scripting vulnerability that allows attackers to execute arbitrary HTML and script code by injecting malicious payloads through the 'holiday_name' and 'memo' POST parameters. Attackers can submit crafted requests with script code in these parameters to compromise user browser sessions and steal sensitive information.

Patches

No patches discovered yet.

Vulnerability mechanics

AI mechanics synthesis has not run for this CVE yet.

References

cxsecurity.com/issue/WLB-2016090004nvd
exchange.xforce.ibmcloud.com/vulnerabilities/116479nvd
packetstormsecurity.com/files/138572nvd
www.exploit-db.com/exploits/40328/nvd
www.vulncheck.com/advisories/zkteco-zkaccess-security-system-stored-xssnvd
www.zeroscience.mk/en/vulnerabilities/ZSL-2016-5368.phpnvd

News mentions

No linked articles in our index yet.

cvss	0.468
epss	0.000
exploit	0.000
kev	0.000
patch	0.000
ransomware	0.000