XSS in Akaunting
CVE-2026-11943
Akaunting 3.1.21 contains an authenticated stored cross-site scripting vulnerability in the document timeline shown on invoice and bill detail pages. An authenticated user can store HTML/JavaScript in their own profile name.
Vulnerability class: XSS (Cross-Site Scripting)
Affected products
- Akaunting — versions 3.1.21
Weakness classification (CWE)
References
- help@fluidattacks.com (third-party-advisory)
- help@fluidattacks.com (product)