Akaunting 3.1.21 - Stored XSS in delete confirmation modal
4,8
Medium
Detected by
Fluid Attacks AI SAST Scanner
Disclosed by
Oscar Naveda
Summary
Full name
Akaunting 3.1.21 - Stored XSS in delete confirmation modal through unescaped model names
Code name
State
Public
Release date
Affected product
Akaunting
Vendor
Akaunting
Affected version(s)
3.1.21
Vulnerability name
Stored cross-site scripting (XSS)
Vulnerability type
Remotely exploitable
Yes
CVSS v4.0 vector string
CVSS:4.0/AV:N/AC:L/AT:N/PR:H/UI:P/VC:L/VI:L/VA:N/SC:L/SI:L/SA:N
CVSS v4.0 base score
4.8
Exploit available
Yes
CVE ID(s)
Description
Akaunting 3.1.21 contains an authenticated stored cross-site scripting vulnerability in the reusable delete confirmation flow. A user with permission to create or modify records, such as Items, can store HTML/JavaScript in the record name. When another authenticated user opens the delete confirmation dialog for that record, Akaunting builds the modal message from the stored name and renders it as HTML through Vue's v-html, causing attacker-controlled JavaScript to execute in the victim's browser session.
Vulnerability
Root cause
1. User-controlled Item names are accepted and persisted without HTML validation.
- app/Http/Requests/Common/Item.php:43-46 validates name only as required|string.
- app/Models/Common/Item.php:38 marks name as fillable.
- app/Jobs/Common/CreateItem.php:20-22 persists $this->request->all().
- app/Jobs/Common/UpdateItem.php:18-20 updates the model from $this->request->all().
2. The delete action uses the stored model name in the confirmation message.
- app/Models/Common/Item.php:190-222 exposes a delete line action for Items through items.destroy.
- resources/views/common/items/index.blade.php:134-136 renders the reusable table actions component.
- resources/views/components/table/actions.blade.php:107-116 renders delete actions through <x-delete-link>.
3. DeleteLink::getMessage() performs incomplete output encoding.
The transformation protects double quotes in the initial HTML attribute context, but it does not encode <, >, event-handler attributes, or other HTML syntax. Payloads such as <img src=x onerror=alert(document.domain)> remain present in the generated message.
4. The Blade view emits the message as trusted HTML in a data attribute.
data-message="{!! $message !!}"
- Relevant code: resources/views/components/delete-link.blade.php:16-25
5. The frontend reads the attribute and renders the message with v-html.
Relevant code: resources/assets/js/mixins/global.js:372-395 and resources/assets/js/components/AkauntingModal.vue:28-30
PoC
1. Navigate to: http://localhost:8088/1/common/items/create
2. Create a new Item with the following Name:
CVE-XSS-ITEM-"><img src=x onerror=alert(document.domain)>
3. Complete the remaining required fields and save the Item.
4. Navigate to: http://localhost:8088/1/common/items
5. Open the row actions for the created Item and click the delete action.
Evidence of exploitation
Video of exploitation
Static evidence
Our security policy
We have reserved the ID CVE-2026-11942 to refer to this issue from now on.
System Information
Akaunting
Version: 3.1.21
Operating System: Any
References
Github Repository: https://github.com/akaunting/akaunting
Mitigation
There is currently no patch available for this vulnerability.
Credits
The vulnerability was discovered by Oscar Naveda from Fluid Attacks' Offensive Team using the AI SAST Scanner.
Timeline
Vulnerability discovered
Vendor contacted
Public disclosure
Does your application use this vulnerable software?
During our free trial, our tools assess your application, identify vulnerabilities, and provide recommendations for their remediation.
