Severity by source
CVSS:4.0/AV:N/AC:L/AT:N/PR:H/UI:P/VC:L/VI:L/VA:N/SC:L/SI:L/SA:N/E:X/CR:X/IR:X/AR:X/MAV:X/MAC:X/MAT:X/MPR:X/MUI:X/MVC:X/MVI:X/MVA:X/MSC:X/MSI:X/MSA:X/S:X/AU:X/R:X/V:X/RE:X/U:X
High privileges required to set profile name; scope changes because payload executes in other users' browser contexts, causing low-level confidentiality and integrity impact.
Primary rating from Vendor (Fluid Attacks).
CVSS VectorVendor: Fluid Attacks
CVSS:4.0/AV:N/AC:L/AT:N/PR:H/UI:P/VC:L/VI:L/VA:N/SC:L/SI:L/SA:N/E:X/CR:X/IR:X/AR:X/MAV:X/MAC:X/MAT:X/MPR:X/MUI:X/MVC:X/MVI:X/MVA:X/MSC:X/MSI:X/MSA:X/S:X/AU:X/R:X/V:X/RE:X/U:X
Lifecycle Timeline
1DescriptionCVE.org
Akaunting 3.1.21 contains an authenticated stored cross-site scripting vulnerability in the document timeline shown on invoice and bill detail pages. An authenticated user can store HTML/JavaScript in their own profile name.
AnalysisAI
Stored cross-site scripting in Akaunting 3.1.21 allows an authenticated high-privileged user to inject arbitrary HTML and JavaScript into their profile name, which is subsequently rendered unsanitized in the document timeline displayed on invoice and bill detail pages. Any other authenticated user - including administrators - who views those pages will have the malicious script execute in their browser context, enabling session hijacking, credential theft, or unauthorized actions on their behalf. …
Unlock full vulnerability intelligence
- Risk assessment & exploitation conditions
- Attack chain visualization
- Remediation with exact patch versions
- Threat intelligence from 22 sources
- Personal watchlist & email alerts
Free forever · No credit card required
Attack ChainAIDerived
Hypothetical attack flow derived from CVE metadata
Vulnerability AssessmentAI
| Exploitation | Exploitation requires the attacker to hold an authenticated session with high-privilege access (PR:H per CVSS 4.0) sufficient to modify their own user profile name within Akaunting 3.1.21. … Additional conditions and limiting factors are described in the full assessment. |
| Risk Assessment | The CVSS 4.0 score of 4.8 (Medium) accurately reflects the constrained real-world risk. … Full risk analysis with EPSS, KEV, and SSVC signal comparison available after sign-in. |
| Exploit Scenario | An attacker with access to a high-privileged Akaunting account navigates to their profile settings and sets their display name to a JavaScript payload such as a script tag exfiltrating the victim's session cookie to an attacker-controlled server. When any other authenticated user - such as an accountant or administrator - opens an invoice or bill detail page where the attacker's account appears in the document timeline, the stored script silently executes in the victim's browser, transmitting their session token and enabling session hijacking. |
| Remediation | No specific vendor-released patch version is identified in the available data. … Detailed patch versions, workarounds, and compensating controls in full report. |
Threat intelligence, references, and detailed analysis are available after sign-in.
An OS command injection vulnerability exists in Akaunting v3.1.3 and earlier. Rated critical severity (CVSS 9.8), this v
Akaunting version 2.1.12 and earlier suffers from a code injection issue in the Money.php component of the application.
Akaunting version 2.1.12 and earlier suffers from a password reset spoofing vulnerability, wherein an attacker can proxy
Akaunting version 2.1.12 and earlier suffers from an authentication bypass issue in the user-controllable field, compani
Akaunting version 2.1.12 and earlier suffers from a denial-of-service issue that is triggered by setting a malformed 'lo
Akaunting version 2.1.12 and earlier suffers from a persistent (type II) cross-site scripting (XSS) vulnerability in pro
Akaunting version 2.1.12 and earlier suffers from a persistent (type II) cross-site scripting (XSS) vulnerability in the
Cross-site scripting (XSS) in Akaunting up to version 3.1.21 allows authenticated users to inject malicious scripts via
Stored Cross-Site Scripting in Akaunting 3.1.21 allows a high-privileged authenticated user with report creation or upda
Stored cross-site scripting in Akaunting 3.1.21 allows an authenticated user with record creation or modification privil
Cross-site scripting (XSS) vulnerability in the component /common/reports of Akaunting v3.1.18 allows attackers to execu
An issue in the component /settings/localisation of Akaunting v3.1.18 allows authenticated attackers to cause a Denial o
Same weakness CWE-79 – Cross-site Scripting (XSS)
View allShare
External POC / Exploit Code
Leaving vuln.today
EUVD-2026-38270
GHSA-c9g5-5438-6vvf