Authenticated Stored Cross-Site Scripting in Akaunting by Akaunting
CVE-2026-11943

4.8MEDIUM

Key Information:

Vendor: Akaunting
Status: Akaunting
Vendor: CVE Published:; 22 June 2026

What is CVE-2026-11943?

Akaunting version 3.1.21 is susceptible to an authenticated stored cross-site scripting vulnerability. This issue allows authenticated users to inject malicious HTML/JavaScript code into their profile name, which can be executed within the document timeline on invoice and bill detail pages. This form of attack can potentially impact other users who view these pages, thereby posing significant risks to data integrity and user security.

Affected Version(s)

Akaunting Windows 3.1.21

References

https://fluidattacks.com/es/advisories/thunder

third-party-advisory

https://github.com/akaunting/akaunting

product

CVSS V4

Score:

4.8

Severity:

MEDIUM

Confidentiality:

Low

Integrity:

Low

Availability:

None

Attack Vector:

Network

Attack Complexity:

Low

Attack Required:

None

Privileges Required:

Undefined

User Interaction:

Unknown

Download the Critical Vulnerability Management Cheat Sheet

Timeline

Vulnerability published
Jun 22, 2026
Vulnerability Reserved
Jun 10, 2026

Credit

Oscar Naveda

Fluid Attacks' AI SAST Scanner

CVE-2026-11943 Data

JSON