Description
A vulnerability has been found in Akaunting up to 3.1.21. This issue affects some unknown processing of the component Invoice/Billing. The manipulation of the argument notes leads to cross site scripting. The attack is possible to be carried out remotely. The exploit has been disclosed to the public and may be used. The vendor was contacted early about this disclosure but did not respond in any way.
Published: 2026-04-05
Score: 5.1 Medium
EPSS: < 1% Very Low
KEV: No
Impact: Cross‑Site Scripting
Action: Apply Patch
AI Analysis

Impact

The vulnerability stems from insufficient validation of the notes argument in Akaunting’s Invoice/Billing module. A malicious payload injected into this field is rendered directly in the browser, allowing an attacker to execute arbitrary JavaScript. This is a classic reflected XSS scenario (CWE‑79) and, because executable code can be inserted, it also maps to CWE‑94. If an attacker can deliver a crafted request, the injected script can hijack sessions, steal credentials, or alter page content, potentially compromising data confidentiality and integrity.

Affected Systems

Akaunting versions up to and including 3.1.21 are affected; no further version details are available.

Risk and Exploitability

The CVSS score of 5.1 classifies this issue as medium severity. The lack of an EPSS score and KEV listing suggests no confirmed large‑scale exploitation; however, exploitation is feasible remotely by sending a crafted HTTP request containing malicious content in the notes field. Based on the description, it is unclear whether unauthenticated users or only users with write access to invoices can exploit this flaw.

Generated by OpenCVE AI on April 5, 2026 at 15:50 UTC.

Remediation

No vendor fix or workaround currently provided.

OpenCVE Recommended Actions

  • Upgrade Akaunting to a version newer than 3.1.21 where the notes field is properly sanitized.
  • Restrict the ability to add notes in Invoice/Billing to trusted users and ensure input is validated or escaped before display.
  • Configure a web application firewall to block or sanitize malicious scripts in the notes parameter.
  • Verify that a vendor patch has been released and monitor for security advisories.

Generated by OpenCVE AI on April 5, 2026 at 15:50 UTC.

Tracking

Sign in to view the affected projects.

Advisories

No advisories yet.

History

Tue, 07 Apr 2026 00:00:00 +0000

Type Values Removed Values Added
First Time appeared Akaunting
Akaunting akaunting
Vendors & Products Akaunting
Akaunting akaunting

Mon, 06 Apr 2026 20:00:00 +0000

Type Values Removed Values Added
Metrics ssvc

{'options': {'Automatable': 'no', 'Exploitation': 'poc', 'Technical Impact': 'partial'}, 'version': '2.0.3'}

Sun, 05 Apr 2026 13:15:00 +0000

Type Values Removed Values Added
Description A vulnerability has been found in Akaunting up to 3.1.21. This issue affects some unknown processing of the component Invoice/Billing. The manipulation of the argument notes leads to cross site scripting. The attack is possible to be carried out remotely. The exploit has been disclosed to the public and may be used. The vendor was contacted early about this disclosure but did not respond in any way.
Title Akaunting Invoice/Billing cross site scripting
Weaknesses CWE-79
CWE-94
References
Metrics cvssV2_0

{'score': 4, 'vector': 'AV:N/AC:L/Au:S/C:N/I:P/A:N/E:POC/RL:ND/RC:UR'}

cvssV3_0

{'score': 3.5, 'vector': 'CVSS:3.0/AV:N/AC:L/PR:L/UI:R/S:U/C:N/I:L/A:N/E:P/RL:X/RC:R'}

cvssV3_1

{'score': 3.5, 'vector': 'CVSS:3.1/AV:N/AC:L/PR:L/UI:R/S:U/C:N/I:L/A:N/E:P/RL:X/RC:R'}

cvssV4_0

{'score': 5.1, 'vector': 'CVSS:4.0/AV:N/AC:L/AT:N/PR:L/UI:P/VC:N/VI:L/VA:N/SC:N/SI:N/SA:N/E:P'}

Subscriptions

Akaunting Akaunting
cve-icon MITRE

Status: PUBLISHED

Assigner: VulDB

Published:

Updated: 2026-04-06T18:04:31.101Z

Reserved: 2026-04-04T14:29:44.140Z

Link: CVE-2026-5568

cve-icon Vulnrichment

Updated: 2026-04-06T18:04:20.408Z

cve-icon NVD

Status : Deferred

Published: 2026-04-05T13:17:14.900

Modified: 2026-04-24T18:14:34.620

Link: CVE-2026-5568

cve-icon Redhat

No data.

cve-icon OpenCVE Enrichment

Updated: 2026-04-06T21:56:43Z

Weaknesses