CVE-2026-11943
Deferred Deferred - Pending Action
Authenticated Stored XSS in Akaunting Invoice Timeline

Publication date: 2026-06-22

Last updated on: 2026-06-22

Assigner: Fluid Attacks

Description
Akaunting 3.1.21 contains an authenticated stored cross-site scripting vulnerability in the document timeline shown on invoice and bill detail pages. An authenticated user can store HTML/JavaScript in their own profile name.
CVSS Scores
EPSS Scores
Probability:
Percentile:
Meta Information
Published
2026-06-22
Last Modified
2026-06-22
Generated
2026-06-22
AI Q&A
2026-06-22
EPSS Evaluated
N/A
NVD
CVE-2026-11943
EUVD
EUVD-2026-38270
Affected Vendors & Products
Showing 1 associated CPE
Vendor Product Version / Range
akaunting akaunting 3.1.21
Helpful Resources
Exploitability
CWE
CWE Icon
KEV
KEV Icon
CWE ID Description
CWE-79 The product does not neutralize or incorrectly neutralizes user-controllable input before it is placed in output that is used as a web page that is served to other users.
Attack-Flow Graph
AI Quick Actions
Instant insights powered by AI
Executive Summary

This vulnerability is an authenticated stored cross-site scripting (XSS) issue in Akaunting version 3.1.21. An authenticated user can inject malicious HTML or JavaScript code into their own profile name. This malicious code is then stored in the database and later rendered without proper sanitization in the document timeline feature on invoice and bill detail pages. When other users view these documents, the injected script executes in their browsers.

Impact Analysis

The impact of this vulnerability is that an attacker with authenticated access can execute malicious scripts in the browsers of other users who view affected documents. This can lead to unauthorized actions, data theft, session hijacking, or other malicious activities performed on behalf of the victim user. Since the vulnerability involves stored XSS, the malicious payload persists and can affect multiple users.

Detection Guidance

This vulnerability involves an authenticated stored cross-site scripting (XSS) in the document timeline feature of Akaunting 3.1.21, where malicious HTML or JavaScript can be injected into user profile names.

To detect this vulnerability on your system, you should check if user profile names contain suspicious HTML or JavaScript code that is stored and rendered in the document timeline.

Since the vulnerability is related to stored XSS in profile names, you can query the database for profile names containing HTML tags or script elements.

  • Example SQL command to find suspicious profile names: SELECT id, profile_name FROM users WHERE profile_name LIKE '%<script>%' OR profile_name LIKE '%<%' OR profile_name LIKE '%>%' LIMIT 10;
  • Monitor HTTP requests and responses for injected scripts in the timeline descriptions by inspecting the HTML content rendered in invoice and bill detail pages.
  • Use web application security scanners or manual testing to authenticate and attempt to inject HTML/JavaScript into profile names and observe if it executes in timeline views.
Mitigation Strategies

Currently, there is no patch available for this vulnerability in Akaunting 3.1.21.

Immediate mitigation steps include:

  • Restrict or disable the ability for users to modify their profile names until a fix is released.
  • Implement input validation and sanitization on profile name fields to prevent HTML or JavaScript injection.
  • Apply output encoding or escaping on user profile names when rendering them in the document timeline to prevent script execution.
  • Limit access to the document timeline feature to trusted users only, reducing the risk of exploitation.
  • Monitor logs and user activity for suspicious behavior related to profile name changes or timeline rendering.
Chat Assistant
Ask questions about this CVE
Hi! I’m here to help you understand CVE-2026-11943. Ask me anything about the vulnerability, its impact, or mitigation strategies.
0/70
EPSS Chart