PatchSiren

Akaunting CVE debriefs

These pages are published after PatchSiren validates generated defensive summaries against stored public CVE and source evidence.

MEDIUM Akaunting CVE published 2026-06-22

CVE-2026-11994

CVE-2026-11994 is an authenticated stored Cross-Site Scripting (XSS) vulnerability in Akaunting version 3.1.21. The vulnerability is located in the report management workflow. An attacker with permission to create or update reports can inject arbitrary HTML or JavaScript code in the description field of a report. This stored XSS could potentially allow attackers to execute malicious scripts, impacting use [truncated]

LOW Akaunting CVE published 2026-05-09

CVE-2026-8193

CVE-2026-8193 is a remotely reachable server-side request forgery issue reported against Akaunting 3.1.21, centered on the Invoice PDF Rendering path in config/dompdf.php. Although the CVSS score is low, the source description says a public exploit exists and that the vendor did not respond to early disclosure. For any deployment that renders invoices and can reach internal or external network resources, [truncated]