CVE-2026-11994 is an authenticated stored Cross-Site Scripting (XSS) vulnerability in Akaunting version 3.1.21. The vulnerability is located in the report management workflow. An attacker with permission to create or update reports can inject arbitrary HTML or JavaScript code in the description field of a report. This stored XSS could potentially allow attackers to execute malicious scripts, impacting use [truncated]
CVE-2026-8193 is a remotely reachable server-side request forgery issue reported against Akaunting 3.1.21, centered on the Invoice PDF Rendering path in config/dompdf.php. Although the CVSS score is low, the source description says a public exploit exists and that the vendor did not respond to early disclosure. For any deployment that renders invoices and can reach internal or external network resources, [truncated]