CVE-2026-11994
Deferred Deferred - Pending Action

Authenticated Stored XSS in Akaunting Report Management

Vulnerability report for CVE-2026-11994, including description, CVSS score, EPSS score, affected products, exploitability, helpful resources, and attack-flow context.

Publication date: 2026-06-22

Last updated on: 2026-06-22

Assigner: Fluid Attacks

Description

Akaunting 3.1.21 contains an authenticated stored Cross-Site Scripting vulnerability in the report management workflow. A user with permission to create or update reports can store arbitrary HTML/JavaScript in the description field of a report.

CVSS Scores

EPSS Scores

Probability:
Percentile:

Meta Information

Published
2026-06-22
Last Modified
2026-06-22
Generated
2026-07-13
AI Q&A
2026-06-22
EPSS Evaluated
2026-07-11
NVD
EUVD

Affected Vendors & Products

Showing 1 associated CPE
Vendor Product Version / Range
akaunting akaunting 3.1.21

Helpful Resources

Exploitability

CWE
CWE Icon
KEV
KEV Icon
CWE ID Description
CWE-79 The product does not neutralize or incorrectly neutralizes user-controllable input before it is placed in output that is used as a web page that is served to other users.

Attack-Flow Graph

AI Quick Actions

Instant insights powered by AI
Executive Summary

This vulnerability is an authenticated stored Cross-Site Scripting (XSS) flaw found in Akaunting version 3.1.21 within the report management workflow.

A user who has permission to create or update reports can inject arbitrary HTML or JavaScript code into the description field of a report.

The malicious code is stored and later rendered unsafely in two administrative interfaces: the report edit form and the reports index page.

This happens because of insufficient input validation, direct persistence of user-supplied data, and raw output rendering without encoding.

An example payload could be something like </textarea><img src=x onerror=alert(document.domain)>, which executes when another user views the affected page.

Impact Analysis

This vulnerability can allow an attacker with report creation or update permissions to execute malicious scripts in the context of other users who view the affected reports.

Such script execution can lead to unauthorized actions, data theft, session hijacking, or other malicious activities within the administrative interfaces.

Because the vulnerability requires authenticated access with specific permissions, the risk is limited to users who have those privileges.

However, if exploited, it can compromise the integrity and security of the application and its users.

Detection Guidance

This vulnerability can be detected by checking for the presence of malicious HTML or JavaScript payloads in the description field of reports within Akaunting version 3.1.21. Since the vulnerability involves stored Cross-Site Scripting (XSS), detection involves inspecting report descriptions for suspicious script tags or event handlers.

One approach is to query the database or use application interfaces to search for typical XSS payload patterns such as <img src=x onerror=alert(document.domain)> or similar script injections in the report descriptions.

Specific commands depend on your environment, but for example, if you have direct database access, you could run a SQL query like:

  • SELECT id, description FROM reports WHERE description LIKE '%<script%' OR description LIKE '%onerror=%' OR description LIKE '%<img%';

Additionally, monitoring HTTP traffic for suspicious payloads or using web application security scanners that detect stored XSS vulnerabilities in the report management workflow can help identify exploitation attempts.

Mitigation Strategies

Immediate mitigation steps include restricting report creation and update permissions to only trusted users, as the vulnerability requires authenticated users with such permissions.

Since no patch is currently available, it is critical to implement input validation and output encoding manually if possible, to prevent malicious HTML/JavaScript from being stored or rendered.

As a temporary workaround, you can audit and sanitize existing report descriptions to remove any malicious scripts.

Also, educate users and administrators about the risk and monitor the application for suspicious activity related to report creation or updates.

Compliance Impact

The provided information does not specify how the authenticated stored Cross-Site Scripting (XSS) vulnerability in Akaunting 3.1.21 impacts compliance with common standards and regulations such as GDPR or HIPAA.

Chat Assistant

Ask questions about this CVE
Hi! I’m here to help you understand CVE-2026-11994. Ask me anything about the vulnerability, its impact, or mitigation strategies.
0/70

EPSS Chart