Description
Akaunting 3.1.21 contains an authenticated stored Cross-Site Scripting vulnerability in the report management workflow. A user with permission to create or update reports can store arbitrary HTML/JavaScript in the description field of a report.
Published: 2026-06-22
Score: 4.8 Medium
EPSS: n/a
KEV: No
Impact: n/a
Action: n/a
AI Analysis

Impact

Akaunting accounting software 3.1.21 includes an authenticated stored cross-site scripting flaw in the report management workflow. A user who can create or update reports can store arbitrary HTML or JavaScript in the report description field, which is later rendered by the web interface. When another authorized user views that report, the malicious script executes in the victim’s browser, allowing the attacker to hijack the user’s session, steal credentials, or alter page content. The weakness is a classic input‑validation flaw, identified as CWE‑79.

Affected Systems

The flaw affects all installations of Akaunting version 3.1.21 running on Linux, macOS, or Windows. Only accounts with permissions to create or update reports are required to exploit the issue.

Risk and Exploitability

The CVSS score is 4.8, indicating a moderate severity. EPSS is not reported, and the vulnerability is not present in the CISA KEV catalog. The attack vector requires an authenticated user with report‑management privileges; therefore, the exploit is limited to insiders or compromised accounts. However, once an attacker can create or modify a report, any other user who views that report will be exposed to the injected code. Organizations using Akaunting 3.1.21 should consider the risk moderate but non‑negligible for internal threat models.

Generated by OpenCVE AI on June 22, 2026 at 18:27 UTC.

Remediation

No vendor fix or workaround currently provided.

OpenCVE Recommended Actions

  • Upgrade to the latest released version of Akaunting that contains the XSS fix.
  • Restrict or revoke report creation and update permissions for users who do not require them to create or alter reports.
  • Enforce input sanitization or output encoding on the report description field to block arbitrary HTML or JavaScript execution.

Generated by OpenCVE AI on June 22, 2026 at 18:27 UTC.

Tracking

Sign in to view the affected projects.

Advisories

No advisories yet.

History

Mon, 22 Jun 2026 19:30:00 +0000

Type Values Removed Values Added
Metrics ssvc

{'options': {'Automatable': 'no', 'Exploitation': 'poc', 'Technical Impact': 'partial'}, 'version': '2.0.3'}

Mon, 22 Jun 2026 17:30:00 +0000

Type Values Removed Values Added
Description Akaunting 3.1.21 contains an authenticated stored Cross-Site Scripting vulnerability in the report management workflow. A user with permission to create or update reports can store arbitrary HTML/JavaScript in the description field of a report.
Title Akaunting 3.1.21 - Authenticated stored XSS in report description rendering
First Time appeared Akaunting
Akaunting akaunting
Weaknesses CWE-79
CPEs cpe:2.3:a:akaunting:akaunting:3.1.21:*:linux:*:*:*:*:*
cpe:2.3:a:akaunting:akaunting:3.1.21:*:macos:*:*:*:*:*
cpe:2.3:a:akaunting:akaunting:3.1.21:*:windows:*:*:*:*:*
Vendors & Products Akaunting
Akaunting akaunting
References
Metrics cvssV4_0

{'score': 4.8, 'vector': 'CVSS:4.0/AV:N/AC:L/AT:N/PR:H/UI:P/VC:L/VI:L/VA:N/SC:L/SI:L/SA:N'}

Subscriptions

Akaunting Akaunting
cve-icon MITRE

Status: PUBLISHED

Assigner: Fluid Attacks

Published:

Updated: 2026-06-22T18:26:24.687Z

Reserved: 2026-06-11T15:13:22.151Z

Link: CVE-2026-11994

cve-icon Vulnrichment

Updated: 2026-06-22T18:24:45.819Z

cve-icon NVD

No data.

cve-icon Redhat

No data.

cve-icon OpenCVE Enrichment

Updated: 2026-06-22T18:30:15Z

Weaknesses
  • CWE-79

    Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting')