Description
Akaunting 3.1.21 contains an authenticated stored cross-site scripting vulnerability in the document timeline shown on invoice and bill detail pages. An authenticated user can store HTML/JavaScript in their own profile name.
Published: 2026-06-22
Score: 4.8 Medium
EPSS: n/a
KEV: No
Impact: n/a
Action: n/a
AI Analysis

Impact

The vulnerable version of the accounting application stores an authenticated user’s profile name as raw HTML and displays it in the document timeline on invoice and bill detail pages. This allows that user to insert malicious JavaScript that is rendered each time the page is viewed. The injection is persistent and can lead to session hijacking, credential theft, defacement, and other integrity or confidentiality breaches inherent to a classic stored XSS flaw (CWE‑79).

Affected Systems

The flaw is present only in Akaunting version 3.1.21 and is distributed for Linux, macOS, and Windows operating systems. Any installation of that release that displays a user’s profile name in an invoice or bill detail timeline is impacted. No other products or versions are listed as affected.

Risk and Exploitability

The CVSS score is 4.8, indicating a moderate severity. The EPSS score is not available, so the current exploitation probability is uncertain. The vulnerability is not listed in the CISA KEV catalog. Exploitation requires an authenticated account to set a malicious profile name; no higher privileges are needed. Once set, the malicious script executes in the browser context of any other user who views the invoice or bill detail page, representing a moderate risk of web‑session hijacking or defacement. The attack vector is inferred to be internal, relying on compromised or legitimate credentials.

Generated by OpenCVE AI on June 22, 2026 at 16:22 UTC.

Remediation

No vendor fix or workaround currently provided.

OpenCVE Recommended Actions

  • Upgrade to a newer version of Akaunting that contains the patch for this issue.
  • If an upgrade cannot be performed immediately, escape or sanitize the profile name before rendering it in the document timeline to prevent script execution.
  • Add a Content Security Policy that disallows inline scripts on the invoice and bill detail pages to mitigate the impact of any future XSS attempts.

Generated by OpenCVE AI on June 22, 2026 at 16:22 UTC.

Tracking

Sign in to view the affected projects.

Advisories

No advisories yet.

History

Mon, 22 Jun 2026 15:45:00 +0000

Type Values Removed Values Added
Description Akaunting 3.1.21 contains an authenticated stored cross-site scripting vulnerability in the document timeline shown on invoice and bill detail pages. An authenticated user can store HTML/JavaScript in their own profile name.
Title Akaunting 3.1.21 - Authenticated stored XSS in document timeline
First Time appeared Akaunting
Akaunting akaunting
Weaknesses CWE-79
CPEs cpe:2.3:a:akaunting:akaunting:3.1.21:*:linux:*:*:*:*:*
cpe:2.3:a:akaunting:akaunting:3.1.21:*:macos:*:*:*:*:*
cpe:2.3:a:akaunting:akaunting:3.1.21:*:windows:*:*:*:*:*
Vendors & Products Akaunting
Akaunting akaunting
References
Metrics cvssV4_0

{'score': 4.8, 'vector': 'CVSS:4.0/AV:N/AC:L/AT:N/PR:H/UI:P/VC:L/VI:L/VA:N/SC:L/SI:L/SA:N'}

Subscriptions

Akaunting Akaunting
cve-icon MITRE

Status: PUBLISHED

Assigner: Fluid Attacks

Published:

Updated: 2026-06-22T15:32:35.425Z

Reserved: 2026-06-10T20:45:07.142Z

Link: CVE-2026-11943

cve-icon Vulnrichment

No data.

cve-icon NVD

No data.

cve-icon Redhat

No data.

cve-icon OpenCVE Enrichment

Updated: 2026-06-22T16:30:08Z

Weaknesses
  • CWE-79

    Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting')