Severity by source
CVSS:4.0/AV:N/AC:L/AT:N/PR:H/UI:P/VC:L/VI:L/VA:N/SC:L/SI:L/SA:N/E:X/CR:X/IR:X/AR:X/MAV:X/MAC:X/MAT:X/MPR:X/MUI:X/MVC:X/MVI:X/MVA:X/MSC:X/MSI:X/MSA:X/S:X/AU:X/R:X/V:X/RE:X/U:X
High privileges (PR:H) required to inject; victim must view report (UI:R); script execution crosses to victim browser, changing scope (S:C); limited C/I impact, no availability impact.
Primary rating from Vendor (Fluid Attacks).
CVSS VectorVendor: Fluid Attacks
CVSS:4.0/AV:N/AC:L/AT:N/PR:H/UI:P/VC:L/VI:L/VA:N/SC:L/SI:L/SA:N/E:X/CR:X/IR:X/AR:X/MAV:X/MAC:X/MAT:X/MPR:X/MUI:X/MVC:X/MVI:X/MVA:X/MSC:X/MSI:X/MSA:X/S:X/AU:X/R:X/V:X/RE:X/U:X
Lifecycle Timeline
1DescriptionCVE.org
Akaunting 3.1.21 contains an authenticated stored Cross-Site Scripting vulnerability in the report management workflow. A user with permission to create or update reports can store arbitrary HTML/JavaScript in the description field of a report.
AnalysisAI
Stored Cross-Site Scripting in Akaunting 3.1.21 allows a high-privileged authenticated user with report creation or update permissions to persist arbitrary HTML/JavaScript in the description field of the report management workflow. Any user - including administrators - who subsequently views the poisoned report will have the malicious script execute in their browser session, enabling session token theft, credential harvesting, or unauthorized UI actions on behalf of the victim. …
Unlock full vulnerability intelligence
- Risk assessment & exploitation conditions
- Attack chain visualization
- Remediation with exact patch versions
- Threat intelligence from 22 sources
- Personal watchlist & email alerts
Free forever · No credit card required
Attack ChainAIDerived
Hypothetical attack flow derived from CVE metadata
Vulnerability AssessmentAI
| Exploitation | Exploitation requires an authenticated Akaunting session with high privileges - specifically, the permission to create or update reports within the report management workflow, as confirmed by the CVSS PR:H metric. … Additional conditions and limiting factors are described in the full assessment. |
| Risk Assessment | The CVSS 4.0 base score of 4.8 (Medium) accurately captures a constrained but meaningful threat: the PR:H requirement restricts the exploitable attacker population to accounts already granted report management permissions, and UI:P means a victim must independently view the report for execution to occur. … Full risk analysis with EPSS, KEV, and SSVC signal comparison available after sign-in. |
| Exploit Scenario | An attacker holding a high-privileged Akaunting account with report management rights edits or creates a report and inserts a JavaScript payload - such as a script that exfiltrates document.cookie to an attacker-controlled endpoint - into the description field. When a legitimate user, such as an accountant or administrator, opens that report during routine financial review, the stored payload executes silently in their authenticated browser session, transmitting their session token to the attacker and enabling full account takeover. … |
| Remediation | No vendor-released patched version was identified in the provided intelligence at time of analysis; patch status should be verified directly against the Akaunting GitHub repository at https://github.com/akaunting/akaunting and the Fluid Attacks advisory at https://fluidattacks.com/es/advisories/believer. … Detailed patch versions, workarounds, and compensating controls in full report. |
Threat intelligence, references, and detailed analysis are available after sign-in.
An OS command injection vulnerability exists in Akaunting v3.1.3 and earlier. Rated critical severity (CVSS 9.8), this v
Akaunting version 2.1.12 and earlier suffers from a code injection issue in the Money.php component of the application.
Akaunting version 2.1.12 and earlier suffers from a password reset spoofing vulnerability, wherein an attacker can proxy
Akaunting version 2.1.12 and earlier suffers from an authentication bypass issue in the user-controllable field, compani
Akaunting version 2.1.12 and earlier suffers from a denial-of-service issue that is triggered by setting a malformed 'lo
Akaunting version 2.1.12 and earlier suffers from a persistent (type II) cross-site scripting (XSS) vulnerability in pro
Akaunting version 2.1.12 and earlier suffers from a persistent (type II) cross-site scripting (XSS) vulnerability in the
Cross-site scripting (XSS) in Akaunting up to version 3.1.21 allows authenticated users to inject malicious scripts via
Stored cross-site scripting in Akaunting 3.1.21 allows an authenticated high-privileged user to inject arbitrary HTML an
Stored cross-site scripting in Akaunting 3.1.21 allows an authenticated user with record creation or modification privil
Cross-site scripting (XSS) vulnerability in the component /common/reports of Akaunting v3.1.18 allows attackers to execu
An issue in the component /settings/localisation of Akaunting v3.1.18 allows authenticated attackers to cause a Denial o
Same weakness CWE-79 – Cross-site Scripting (XSS)
View allShare
External POC / Exploit Code
Leaving vuln.today
EUVD-2026-38290
GHSA-3777-v3gr-3jr3