Which versions of Zkteco Zkaccess Security System are affected by EUVD-2016-10819?

ZKTeco ZKAccess Security System 5.3.1 contains a stored cross-site scripting vulnerability that allows attackers to inject malicious scripts into user sessions, potentially compromising employee…

Is there a public PoC exploit available for EUVD-2016-10819?

Yes, a public proof-of-concept exploit is available for EUVD-2016-10819. Prioritise patching immediately. EPSS: 0.0%.

How to fix or mitigate EUVD-2016-10819?

Within 24 hours: Identify all ZKTeco ZKAccess 5.3.1 instances in your environment and restrict administrative access to the holiday and memo configuration features. Within 7 days: Deploy WAF rules to block suspicious POST requests to affected parameters and implement input validation/output encoding at the application layer. Within 30 days: Conduct a security audit of the affected system for evidence of exploitation, evaluate upgrade paths to patched versions (contact vendor for timeline), and consider network segmentation to isolate the access control system from critical infrastructure.

Zkteco Zkaccess Security System EUVD-2016-10819

Q: What is the CVSS score of EUVD-2016-10819?

EUVD-2016-10819 has a CVSS 4.0 base score of 5.1 (Medium). CVSS vector: CVSS:4.0/AV:N/AC:L/AT:N/PR:L/UI:P/VC:N/VI:N/VA:N/SC:L/SI:L/SA:N/E:X/CR:X/IR:X/AR:X/MAV:X/MAC:X/MAT:X/MPR:X/MUI:X/MVC:X/MVI:X/MVA:X/MSC:X/MSI:X/MSA:X/S:X/AU:X/R:X/V:X/RE:X/U:X. EPSS exploitation probability: 0.0%.

| CVE-2016-20032 MEDIUM

Cross-site Scripting (XSS) (CWE-79)

2026-03-15 VulnCheck

XSS Zkteco Zkaccess Security System

5.1

CVSS 4.0 · NVD

Severity by source

NVD PRIMARY

5.1 MEDIUM

CVSS:4.0/AV:N/AC:L/AT:N/PR:L/UI:P/VC:N/VI:N/VA:N/SC:L/SI:L/SA:N/E:X/CR:X/IR:X/AR:X/MAV:X/MAC:X/MAT:X/MPR:X/MUI:X/MVC:X/MVI:X/MVA:X/MSC:X/MSI:X/MSA:X/S:X/AU:X/R:X/V:X/RE:X/U:X

Primary rating from NVD · only source for this CVE.

CVSS VectorNVD

CVSS:4.0/AV:N/AC:L/AT:N/PR:L/UI:P/VC:N/VI:N/VA:N/SC:L/SI:L/SA:N/E:X/CR:X/IR:X/AR:X/MAV:X/MAC:X/MAT:X/MPR:X/MUI:X/MVC:X/MVI:X/MVA:X/MSC:X/MSI:X/MSA:X/S:X/AU:X/R:X/V:X/RE:X/U:X

Attack Vector

Network

Attack Complexity

Low

Privileges Required

Low

User Interaction

Scope

Lifecycle Timeline

Severity Changed

Apr 15, 2026 - 15:22 NVD

HIGH MEDIUM

CVSS changed

Apr 15, 2026 - 15:22 NVD

7.2 (HIGH) 5.1 (MEDIUM)

PoC Detected

Mar 16, 2026 - 14:53 vuln.today

Public exploit code

EUVD ID Assigned

Mar 15, 2026 - 14:00 euvd

EUVD-2016-10819

Analysis Generated

Mar 15, 2026 - 14:00 vuln.today

CVE Published

Mar 15, 2026 - 13:35 nvd

HIGH 7.2

DescriptionCVE.org

ZKTeco ZKAccess Security System 5.3.1 contains a stored cross-site scripting vulnerability that allows attackers to execute arbitrary HTML and script code by injecting malicious payloads through the 'holiday_name' and 'memo' POST parameters. Attackers can submit crafted requests with script code in these parameters to compromise user browser sessions and steal sensitive information.

AnalysisAI

Stored cross-site scripting (XSS) vulnerability in ZKTeco ZKAccess Security System 5.3.1 that allows remote attackers to inject malicious scripts via the 'holiday_name' and 'memo' POST parameters without authentication. Multiple public proof-of-concept exploits are available, making this vulnerability actively exploitable in unpatched systems.

Technical ContextAI

This vulnerability affects ZKTeco ZKAccess Security System version 5.3.1 and potentially earlier versions (CPE indicates all versions with wildcard). The CWE-79 classification indicates improper neutralization of user-supplied input before outputting it to web pages. The system fails to sanitize the 'holiday_name' and 'memo' POST parameters, allowing JavaScript and HTML injection that persists in the database (stored XSS). ZKAccess is a physical access control and time attendance management system, making this particularly concerning as it could compromise security infrastructure.

RemediationAI

No specific patch information is available in the provided references. Recommended actions: 1) Contact ZKTeco support for updates beyond version 5.3.1, 2) Implement input validation and output encoding for the 'holiday_name' and 'memo' parameters as immediate mitigation, 3) Deploy a Web Application Firewall (WAF) to filter XSS payloads, 4) Restrict network access to the ZKAccess management interface to trusted IP addresses only. The vendor advisory link (vulncheck.com) should be consulted for potential updates.

EUVD-2016-10819 vulnerability details – vuln.today

Back