Description
Akaunting 3.1.21 contains an authenticated stored cross-site scripting vulnerability in the reusable delete confirmation flow. A user with permission to create or modify records, such as Items, can store HTML/JavaScript in the record name.
Published: 2026-06-22
Score: 4.8 Medium
EPSS: n/a
KEV: No
Impact: n/a
Action: n/a
AI Analysis

Impact

Akaunting 3.1.21 allows an authenticated user with the right to create or modify records to store arbitrary HTML or JavaScript in a record’s name. When that record is later deleted, the delete confirmation modal displays the stored data, causing the browser to execute the script in the context of the current user. The result is an authenticated local XSS that can steal session cookies, perform phishing attacks, or execute other malicious actions within the affected user’s session. It does not provide remote code execution on the server side but enables attackers to compromise confidentiality and integrity for users who trigger the delete flow.

Affected Systems

The vulnerability exists in Akaunting 3.1.21 running on Linux, macOS, and Windows platforms. No version upgrades or patches are listed in the current data; the affected product is the entire Akaunting application at that specific release.

Risk and Exploitability

The CVSS score of 4.8 indicates a moderate severity level. Because the exploit requires authentication and specific permissions, the attack surface is limited to users who can modify records. The EPSS score is not available, and the vulnerability is not listed in CISA’s KEV catalog. Attackers must first gain access with appropriate privileges, then create or alter a record to inject malicious code. The stored script is replayed each time the delete confirmation is invoked by any user with permission to view the record, extending the vulnerability’s impact across multiple users until patched.

Generated by OpenCVE AI on June 22, 2026 at 16:25 UTC.

Remediation

No vendor fix or workaround currently provided.

OpenCVE Recommended Actions

  • Upgrade to the latest version of Akaunting that includes the XSS fix (check the vendor’s release notes for an update beyond 3.1.21).
  • Restrict permissions that allow record creation or modification to trusted administrators only, reducing the number of users who could inject malicious content.
  • If an immediate upgrade is not possible, apply a server‑side sanitization or output‑escaping fix to the delete confirmation modal so any stored record names are escaped before rendering, preventing script execution.

Generated by OpenCVE AI on June 22, 2026 at 16:25 UTC.

Tracking

Sign in to view the affected projects.

Advisories

No advisories yet.

History

Mon, 22 Jun 2026 15:45:00 +0000

Type Values Removed Values Added
Description Akaunting 3.1.21 contains an authenticated stored cross-site scripting vulnerability in the reusable delete confirmation flow. A user with permission to create or modify records, such as Items, can store HTML/JavaScript in the record name.
Title Akaunting 3.1.21 - Stored XSS in delete confirmation modal
First Time appeared Akaunting
Akaunting akaunting
Weaknesses CWE-79
CPEs cpe:2.3:a:akaunting:akaunting:3.1.21:*:linux:*:*:*:*:*
cpe:2.3:a:akaunting:akaunting:3.1.21:*:macos:*:*:*:*:*
cpe:2.3:a:akaunting:akaunting:3.1.21:*:windows:*:*:*:*:*
Vendors & Products Akaunting
Akaunting akaunting
References
Metrics cvssV4_0

{'score': 4.8, 'vector': 'CVSS:4.0/AV:N/AC:L/AT:N/PR:H/UI:P/VC:L/VI:L/VA:N/SC:L/SI:L/SA:N'}

Subscriptions

Akaunting Akaunting
cve-icon MITRE

Status: PUBLISHED

Assigner: Fluid Attacks

Published:

Updated: 2026-06-22T15:18:29.257Z

Reserved: 2026-06-10T20:28:05.261Z

Link: CVE-2026-11942

cve-icon Vulnrichment

No data.

cve-icon NVD

No data.

cve-icon Redhat

No data.

cve-icon OpenCVE Enrichment

Updated: 2026-06-22T16:30:08Z

Weaknesses
  • CWE-79

    Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting')