PatchSiren

PatchSiren cyber security CVE debrief

CVE-2026-11994 Akaunting CVE debrief

CVE-2026-11994 is an authenticated stored Cross-Site Scripting (XSS) vulnerability in Akaunting version 3.1.21. The vulnerability is located in the report management workflow. An attacker with permission to create or update reports can inject arbitrary HTML or JavaScript code in the description field of a report. This stored XSS could potentially allow attackers to execute malicious scripts, impacting users who view the affected reports. The Common Vulnerability Scoring System (CVSS) score for this vulnerability is 4.8, classified as MEDIUM severity. The CVE was published on June 22, 2026, at 18:16:31 GMT and modified at 19:16:39 GMT the same day.

Vendor
Akaunting
Product
Unknown
CVSS
MEDIUM 4.8
CISA KEV
Not listed in stored evidence
Original CVE published
2026-06-22
Original CVE updated
2026-06-22
Advisory published
2026-06-22
Advisory updated
2026-06-22

Who should care

Administrators and users of Akaunting version 3.1.21 should be aware of this vulnerability, especially those with permissions to create or update reports. Developers and security teams should prioritize patching or mitigating this vulnerability to prevent potential exploitation. Users who view reports created or updated by potentially malicious users are also at risk.

Technical summary

The CVE-2026-11994 vulnerability allows authenticated users to store arbitrary HTML/JavaScript in the description field of reports. This is a stored Cross-Site Scripting (XSS) vulnerability, which means the malicious code is stored on the server and executed when a user views the report. The vulnerability requires the attacker to have permissions to create or update reports. The CVSS:4.0 vector for this vulnerability is AV:N/AC:L/AT:N/PR:H/UI:P/VC:L/VI:L/VA:N/SC:L/SI:L/SA:N/E:X/CR:X/IR:X/AR:X/MAV:X/MAC:X/MAT:X/MPR:X/MUI:X/MVC:X/MVI:X/MVA:X/MSC:X/MSI:X/MSA:X/S:X/AU:X/R:X/V:X/RE:X/U:X, indicating a medium severity level.

Defensive priority

Patching or mitigating this vulnerability should be a high priority for administrators of Akaunting 3.1.21. Restricting report creation and update permissions to trusted users and implementing Content Security Policy (CSP) can help mitigate the risk.

Recommended defensive actions

  • Apply the latest patch or update for Akaunting to version 3.1.22 or later.
  • Restrict report creation and update permissions to trusted users only.
  • Implement Content Security Policy (CSP) to define which sources of content are allowed to be executed within a web page.
  • Monitor report creation and updates for suspicious activity.
  • Perform regular security audits and vulnerability assessments.

Evidence notes

The CVE-2026-11994 vulnerability was identified in Akaunting version 3.1.21. The vulnerability allows authenticated users with report creation or update permissions to inject malicious HTML/JavaScript code. The CVSS score of 4.8 indicates a medium severity level. The CVE was published and modified on June 22, 2026, by the National Vulnerability Database (NVD).

Official resources

This article is AI-assisted and based on the supplied source corpus.