Skip to main content

Akaunting CVE-2024-22836

CRITICAL
OS Command Injection (CWE-78)
2024-02-08 cve@mitre.org
9.8
CVSS 3.1 · NVD
Share

Severity by source

NVD PRIMARY
9.8 CRITICAL
AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H

Primary rating from NVD · only source for this CVE.

CVSS VectorNVD

CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H
Attack Vector
Network
Attack Complexity
Low
Privileges Required
None
User Interaction
None
Scope
Unchanged
Confidentiality
High
Integrity
High
Availability
High

Lifecycle Timeline

1
CVE Published
Feb 08, 2024 - 20:15 nvd
CRITICAL 9.8

DescriptionNVD

An OS command injection vulnerability exists in Akaunting v3.1.3 and earlier. An attacker can manipulate the company locale when installing an app to execute system commands on the hosting server.

AnalysisAI

An OS command injection vulnerability exists in Akaunting v3.1.3 and earlier. Rated critical severity (CVSS 9.8), this vulnerability is remotely exploitable, no authentication required, low attack complexity. Public exploit code available and no vendor patch available.

Technical ContextAI

This vulnerability is classified as OS Command Injection (CWE-78), which allows attackers to execute arbitrary operating system commands on the host. An OS command injection vulnerability exists in Akaunting v3.1.3 and earlier. An attacker can manipulate the company locale when installing an app to execute system commands on the hosting server. Affected products include: Akaunting.

RemediationAI

No vendor patch is available at time of analysis. Monitor vendor advisories for updates. Avoid passing user input to shell commands. Use language-specific APIs instead of shell execution. Apply strict input validation with allowlists.

CVE-2021-36800 CRITICAL POC
9.1 Aug 04

Akaunting version 2.1.12 and earlier suffers from a code injection issue in the Money.php component of the application.

CVE-2021-36804 HIGH POC
8.1 Aug 04

Akaunting version 2.1.12 and earlier suffers from a password reset spoofing vulnerability, wherein an attacker can proxy

CVE-2021-36801 HIGH POC
8.1 Aug 04

Akaunting version 2.1.12 and earlier suffers from an authentication bypass issue in the user-controllable field, compani

CVE-2021-36802 MEDIUM POC
6.5 Aug 04

Akaunting version 2.1.12 and earlier suffers from a denial-of-service issue that is triggered by setting a malformed 'lo

CVE-2021-36803 MEDIUM POC
5.4 Aug 04

Akaunting version 2.1.12 and earlier suffers from a persistent (type II) cross-site scripting (XSS) vulnerability in pro

CVE-2021-36805 MEDIUM POC
4.8 Aug 04

Akaunting version 2.1.12 and earlier suffers from a persistent (type II) cross-site scripting (XSS) vulnerability in the

CVE-2026-5568 LOW POC
2.0 Apr 05

Cross-site scripting (XSS) in Akaunting up to version 3.1.21 allows authenticated users to inject malicious scripts via

CVE-2026-11994 MEDIUM
4.8 Jun 22

Stored Cross-Site Scripting in Akaunting 3.1.21 allows a high-privileged authenticated user with report creation or upda

CVE-2026-11943 MEDIUM
4.8 Jun 22

Stored cross-site scripting in Akaunting 3.1.21 allows an authenticated high-privileged user to inject arbitrary HTML an

CVE-2026-11942 MEDIUM
4.8 Jun 22

Stored cross-site scripting in Akaunting 3.1.21 allows an authenticated user with record creation or modification privil

CVE-2025-55522 MEDIUM POC
6.5 Aug 21

Cross-site scripting (XSS) vulnerability in the component /common/reports of Akaunting v3.1.18 allows attackers to execu

CVE-2025-55521 MEDIUM POC
6.5 Aug 21

An issue in the component /settings/localisation of Akaunting v3.1.18 allows authenticated attackers to cause a Denial o

Share

CVE-2024-22836 vulnerability details – vuln.today

This site uses cookies essential for authentication and security. No tracking or analytics cookies are used. Privacy Policy