Stored Cross-Site Scripting Vulnerability in Akaunting Accounting Software
CVE-2026-11994

4.8MEDIUM

Key Information:

Vendor: Akaunting
Status: Akaunting
Vendor: CVE Published:; 22 June 2026

What is CVE-2026-11994?

An authenticated stored Cross-Site Scripting vulnerability exists in Akaunting version 3.1.21, affecting the report management workflow. Users with the appropriate permissions can inject arbitrary HTML or JavaScript code into the description field of reports. This could allow an attacker to execute malicious scripts in the context of other users, potentially leading to data theft, session hijacking, or other harmful actions within the application.

Affected Version(s)

Akaunting Windows 3.1.21

References

https://fluidattacks.com/es/advisories/believer

third-party-advisory

https://github.com/akaunting/akaunting

product

CVSS V4

Score:

4.8

Severity:

MEDIUM

Confidentiality:

Low

Integrity:

Low

Availability:

None

Attack Vector:

Network

Attack Complexity:

Low

Attack Required:

None

Privileges Required:

Undefined

User Interaction:

Unknown

Download the Critical Vulnerability Management Cheat Sheet

Timeline

Vulnerability published
Jun 22, 2026
Vulnerability Reserved
Jun 11, 2026

Credit

Oscar Naveda

Fluid Attacks' AI SAST Scanner

CVE-2026-11994 Data

JSON