XSS in Akaunting
CVE-2026-11942
Akaunting 3.1.21 contains an authenticated stored cross-site scripting vulnerability in the reusable delete confirmation flow. A user with permission to create or modify records, such as Items, can store HTML/JavaScript in the record name.
Vulnerability class: XSS (Cross-Site Scripting)
Affected products
- Akaunting — versions 3.1.21
Weakness classification (CWE)
References
- help@fluidattacks.com (third-party-advisory)
- help@fluidattacks.com (product)