{"dataType": "CVE_RECORD", "dataVersion": "5.2", "cveMetadata": {"cveId": "CVE-2026-5568", "assignerOrgId": "1af790b2-7ee1-4545-860a-a788eba489b5", "state": "PUBLISHED", "assignerShortName": "VulDB", "dateReserved": "2026-04-04T14:29:44.140Z", "datePublished": "2026-04-05T13:00:17.571Z", "dateUpdated": "2026-04-06T18:04:31.101Z"}, "containers": {"cna": {"providerMetadata": {"orgId": "1af790b2-7ee1-4545-860a-a788eba489b5", "shortName": "VulDB", "dateUpdated": "2026-04-05T13:00:17.571Z"}, "title": "Akaunting Invoice/Billing cross site scripting", "problemTypes": [{"descriptions": [{"type": "CWE", "cweId": "CWE-79", "lang": "en", "description": "Cross Site Scripting"}]}, {"descriptions": [{"type": "CWE", "cweId": "CWE-94", "lang": "en", "description": "Code Injection"}]}], "affected": [{"vendor": "n/a", "product": "Akaunting", "versions": [{"version": "3.1.0", "status": "affected"}, {"version": "3.1.1", "status": "affected"}, {"version": "3.1.2", "status": "affected"}, {"version": "3.1.3", "status": "affected"}, {"version": "3.1.4", "status": "affected"}, {"version": "3.1.5", "status": "affected"}, {"version": "3.1.6", "status": "affected"}, {"version": "3.1.7", "status": "affected"}, {"version": "3.1.8", "status": "affected"}, {"version": "3.1.9", "status": "affected"}, {"version": "3.1.10", "status": "affected"}, {"version": "3.1.11", "status": "affected"}, {"version": "3.1.12", "status": "affected"}, {"version": "3.1.13", "status": "affected"}, {"version": "3.1.14", "status": "affected"}, {"version": "3.1.15", "status": "affected"}, {"version": "3.1.16", "status": "affected"}, {"version": "3.1.17", "status": "affected"}, {"version": "3.1.18", "status": "affected"}, {"version": "3.1.19", "status": "affected"}, {"version": "3.1.20", "status": "affected"}, {"version": "3.1.21", "status": "affected"}], "modules": ["Invoice/Billing"]}], "descriptions": [{"lang": "en", "value": "A vulnerability has been found in Akaunting up to 3.1.21. This issue affects some unknown processing of the component Invoice/Billing. The manipulation of the argument notes leads to cross site scripting. The attack is possible to be carried out remotely. The exploit has been disclosed to the public and may be used. The vendor was contacted early about this disclosure but did not respond in any way."}], "metrics": [{"cvssV4_0": {"version": "4.0", "baseScore": 5.1, "vectorString": "CVSS:4.0/AV:N/AC:L/AT:N/PR:L/UI:P/VC:N/VI:L/VA:N/SC:N/SI:N/SA:N/E:P", "baseSeverity": "MEDIUM"}}, {"cvssV3_1": {"version": "3.1", "baseScore": 3.5, "vectorString": "CVSS:3.1/AV:N/AC:L/PR:L/UI:R/S:U/C:N/I:L/A:N/E:P/RL:X/RC:R", "baseSeverity": "LOW"}}, {"cvssV3_0": {"version": "3.0", "baseScore": 3.5, "vectorString": "CVSS:3.0/AV:N/AC:L/PR:L/UI:R/S:U/C:N/I:L/A:N/E:P/RL:X/RC:R", "baseSeverity": "LOW"}}, {"cvssV2_0": {"version": "2.0", "baseScore": 4, "vectorString": "AV:N/AC:L/Au:S/C:N/I:P/A:N/E:POC/RL:ND/RC:UR"}}], "timeline": [{"time": "2026-04-04T00:00:00.000Z", "lang": "en", "value": "Advisory disclosed"}, {"time": "2026-04-04T02:00:00.000Z", "lang": "en", "value": "VulDB entry created"}, {"time": "2026-04-04T16:34:48.000Z", "lang": "en", "value": "VulDB entry last update"}], "credits": [{"lang": "en", "value": "gabriel (VulDB User)", "type": "reporter"}, {"lang": "en", "value": "VulDB CNA Team", "type": "coordinator"}], "references": [{"url": "https://vuldb.com/vuln/355338", "name": "VDB-355338 | Akaunting Invoice/Billing cross site scripting", "tags": ["vdb-entry", "technical-description"]}, {"url": "https://vuldb.com/vuln/355338/cti", "name": "VDB-355338 | CTI Indicators (IOB, IOC, TTP, IOA)", "tags": ["signature", "permissions-required"]}, {"url": "https://vuldb.com/submit/783139", "name": "Submit #783139 | Akaunting v3.1.21 Cross Site Scripting", "tags": ["third-party-advisory"]}, {"url": "https://docs.google.com/document/d/1TFwYGdjDblEGCMM0l67PXz0HXZu_iUqWDQZavtM9t1U/edit?usp=sharing", "tags": ["exploit"]}]}, "adp": [{"metrics": [{"other": {"type": "ssvc", "content": {"timestamp": "2026-04-06T18:04:14.382158Z", "id": "CVE-2026-5568", "options": [{"Exploitation": "poc"}, {"Automatable": "no"}, {"Technical Impact": "partial"}], "role": "CISA Coordinator", "version": "2.0.3"}}}], "title": "CISA ADP Vulnrichment", "providerMetadata": {"orgId": "134c704f-9b21-4f2e-91b3-4a467353bcc0", "shortName": "CISA-ADP", "dateUpdated": "2026-04-06T18:04:31.101Z"}}]}}

{"dataType": "CVE_RECORD", "containers": {"adp": [{"title": "CISA ADP Vulnrichment", "metrics": [{"other": {"type": "ssvc", "content": {"id": "CVE-2026-5568", "role": "CISA Coordinator", "options": [{"Exploitation": "poc"}, {"Automatable": "no"}, {"Technical Impact": "partial"}], "version": "2.0.3", "timestamp": "2026-04-06T18:04:14.382158Z"}}}], "providerMetadata": {"orgId": "134c704f-9b21-4f2e-91b3-4a467353bcc0", "shortName": "CISA-ADP", "dateUpdated": "2026-04-06T18:04:20.408Z"}}], "cna": {"title": "Akaunting Invoice/Billing cross site scripting", "credits": [{"lang": "en", "type": "reporter", "value": "gabriel (VulDB User)"}, {"lang": "en", "type": "coordinator", "value": "VulDB CNA Team"}], "metrics": [{"cvssV4_0": {"version": "4.0", "baseScore": 5.1, "baseSeverity": "MEDIUM", "vectorString": "CVSS:4.0/AV:N/AC:L/AT:N/PR:L/UI:P/VC:N/VI:L/VA:N/SC:N/SI:N/SA:N/E:P"}}, {"cvssV3_1": {"version": "3.1", "baseScore": 3.5, "baseSeverity": "LOW", "vectorString": "CVSS:3.1/AV:N/AC:L/PR:L/UI:R/S:U/C:N/I:L/A:N/E:P/RL:X/RC:R"}}, {"cvssV3_0": {"version": "3.0", "baseScore": 3.5, "baseSeverity": "LOW", "vectorString": "CVSS:3.0/AV:N/AC:L/PR:L/UI:R/S:U/C:N/I:L/A:N/E:P/RL:X/RC:R"}}, {"cvssV2_0": {"version": "2.0", "baseScore": 4, "vectorString": "AV:N/AC:L/Au:S/C:N/I:P/A:N/E:POC/RL:ND/RC:UR"}}], "affected": [{"vendor": "n/a", "modules": ["Invoice/Billing"], "product": "Akaunting", "versions": [{"status": "affected", "version": "3.1.0"}, {"status": "affected", "version": "3.1.1"}, {"status": "affected", "version": "3.1.2"}, {"status": "affected", "version": "3.1.3"}, {"status": "affected", "version": "3.1.4"}, {"status": "affected", "version": "3.1.5"}, {"status": "affected", "version": "3.1.6"}, {"status": "affected", "version": "3.1.7"}, {"status": "affected", "version": "3.1.8"}, {"status": "affected", "version": "3.1.9"}, {"status": "affected", "version": "3.1.10"}, {"status": "affected", "version": "3.1.11"}, {"status": "affected", "version": "3.1.12"}, {"status": "affected", "version": "3.1.13"}, {"status": "affected", "version": "3.1.14"}, {"status": "affected", "version": "3.1.15"}, {"status": "affected", "version": "3.1.16"}, {"status": "affected", "version": "3.1.17"}, {"status": "affected", "version": "3.1.18"}, {"status": "affected", "version": "3.1.19"}, {"status": "affected", "version": "3.1.20"}, {"status": "affected", "version": "3.1.21"}]}], "timeline": [{"lang": "en", "time": "2026-04-04T00:00:00.000Z", "value": "Advisory disclosed"}, {"lang": "en", "time": "2026-04-04T02:00:00.000Z", "value": "VulDB entry created"}, {"lang": "en", "time": "2026-04-04T16:34:48.000Z", "value": "VulDB entry last update"}], "references": [{"url": "https://vuldb.com/vuln/355338", "name": "VDB-355338 | Akaunting Invoice/Billing cross site scripting", "tags": ["vdb-entry", "technical-description"]}, {"url": "https://vuldb.com/vuln/355338/cti", "name": "VDB-355338 | CTI Indicators (IOB, IOC, TTP, IOA)", "tags": ["signature", "permissions-required"]}, {"url": "https://vuldb.com/submit/783139", "name": "Submit #783139 | Akaunting v3.1.21 Cross Site Scripting", "tags": ["third-party-advisory"]}, {"url": "https://docs.google.com/document/d/1TFwYGdjDblEGCMM0l67PXz0HXZu_iUqWDQZavtM9t1U/edit?usp=sharing", "tags": ["exploit"]}], "descriptions": [{"lang": "en", "value": "A vulnerability has been found in Akaunting up to 3.1.21. This issue affects some unknown processing of the component Invoice/Billing. The manipulation of the argument notes leads to cross site scripting. The attack is possible to be carried out remotely. The exploit has been disclosed to the public and may be used. The vendor was contacted early about this disclosure but did not respond in any way."}], "problemTypes": [{"descriptions": [{"lang": "en", "type": "CWE", "cweId": "CWE-79", "description": "Cross Site Scripting"}]}, {"descriptions": [{"lang": "en", "type": "CWE", "cweId": "CWE-94", "description": "Code Injection"}]}], "providerMetadata": {"orgId": "1af790b2-7ee1-4545-860a-a788eba489b5", "shortName": "VulDB", "dateUpdated": "2026-04-05T13:00:17.571Z"}}}, "cveMetadata": {"cveId": "CVE-2026-5568", "state": "PUBLISHED", "dateUpdated": "2026-04-06T18:04:31.101Z", "dateReserved": "2026-04-04T14:29:44.140Z", "assignerOrgId": "1af790b2-7ee1-4545-860a-a788eba489b5", "datePublished": "2026-04-05T13:00:17.571Z", "assignerShortName": "VulDB"}, "dataVersion": "5.2"}

{"cveTags": [], "descriptions": [{"lang": "en", "value": "A vulnerability has been found in Akaunting up to 3.1.21. This issue affects some unknown processing of the component Invoice/Billing. The manipulation of the argument notes leads to cross site scripting. The attack is possible to be carried out remotely. The exploit has been disclosed to the public and may be used. The vendor was contacted early about this disclosure but did not respond in any way."}], "id": "CVE-2026-5568", "lastModified": "2026-04-29T01:00:01.613", "metrics": {"cvssMetricV2": [{"acInsufInfo": false, "baseSeverity": "MEDIUM", "cvssData": {"accessComplexity": "LOW", "accessVector": "NETWORK", "authentication": "SINGLE", "availabilityImpact": "NONE", "baseScore": 4.0, "confidentialityImpact": "NONE", "integrityImpact": "PARTIAL", "vectorString": "AV:N/AC:L/Au:S/C:N/I:P/A:N", "version": "2.0"}, "exploitabilityScore": 8.0, "impactScore": 2.9, "obtainAllPrivilege": false, "obtainOtherPrivilege": false, "obtainUserPrivilege": false, "source": "cna@vuldb.com", "type": "Secondary", "userInteractionRequired": false}], "cvssMetricV31": [{"cvssData": {"attackComplexity": "LOW", "attackVector": "NETWORK", "availabilityImpact": "NONE", "baseScore": 3.5, "baseSeverity": "LOW", "confidentialityImpact": "NONE", "integrityImpact": "LOW", "privilegesRequired": "LOW", "scope": "UNCHANGED", "userInteraction": "REQUIRED", "vectorString": "CVSS:3.1/AV:N/AC:L/PR:L/UI:R/S:U/C:N/I:L/A:N", "version": "3.1"}, "exploitabilityScore": 2.1, "impactScore": 1.4, "source": "cna@vuldb.com", "type": "Primary"}], "cvssMetricV40": [{"cvssData": {"Automatable": "NOT_DEFINED", "Recovery": "NOT_DEFINED", "Safety": "NOT_DEFINED", "attackComplexity": "LOW", "attackRequirements": "NONE", "attackVector": "NETWORK", "availabilityRequirement": "NOT_DEFINED", "baseScore": 2.0, "baseSeverity": "LOW", "confidentialityRequirement": "NOT_DEFINED", "exploitMaturity": "PROOF_OF_CONCEPT", "integrityRequirement": "NOT_DEFINED", "modifiedAttackComplexity": "NOT_DEFINED", "modifiedAttackRequirements": "NOT_DEFINED", "modifiedAttackVector": "NOT_DEFINED", "modifiedPrivilegesRequired": "NOT_DEFINED", "modifiedSubAvailabilityImpact": "NOT_DEFINED", "modifiedSubConfidentialityImpact": "NOT_DEFINED", "modifiedSubIntegrityImpact": "NOT_DEFINED", "modifiedUserInteraction": "NOT_DEFINED", "modifiedVulnAvailabilityImpact": "NOT_DEFINED", "modifiedVulnConfidentialityImpact": "NOT_DEFINED", "modifiedVulnIntegrityImpact": "NOT_DEFINED", "privilegesRequired": "LOW", "providerUrgency": "NOT_DEFINED", "subAvailabilityImpact": "NONE", "subConfidentialityImpact": "NONE", "subIntegrityImpact": "NONE", "userInteraction": "PASSIVE", "valueDensity": "NOT_DEFINED", "vectorString": "CVSS:4.0/AV:N/AC:L/AT:N/PR:L/UI:P/VC:N/VI:L/VA:N/SC:N/SI:N/SA:N/E:P/CR:X/IR:X/AR:X/MAV:X/MAC:X/MAT:X/MPR:X/MUI:X/MVC:X/MVI:X/MVA:X/MSC:X/MSI:X/MSA:X/S:X/AU:X/R:X/V:X/RE:X/U:X", "version": "4.0", "vulnAvailabilityImpact": "NONE", "vulnConfidentialityImpact": "NONE", "vulnIntegrityImpact": "LOW", "vulnerabilityResponseEffort": "NOT_DEFINED"}, "source": "cna@vuldb.com", "type": "Secondary"}]}, "published": "2026-04-05T13:17:14.900", "references": [{"source": "cna@vuldb.com", "url": "https://docs.google.com/document/d/1TFwYGdjDblEGCMM0l67PXz0HXZu_iUqWDQZavtM9t1U/edit?usp=sharing"}, {"source": "cna@vuldb.com", "url": "https://vuldb.com/submit/783139"}, {"source": "cna@vuldb.com", "url": "https://vuldb.com/vuln/355338"}, {"source": "cna@vuldb.com", "url": "https://vuldb.com/vuln/355338/cti"}], "sourceIdentifier": "cna@vuldb.com", "vulnStatus": "Deferred", "weaknesses": [{"description": [{"lang": "en", "value": "CWE-79"}, {"lang": "en", "value": "CWE-94"}], "source": "cna@vuldb.com", "type": "Primary"}]}

{}

{"affected": [{"configurations": [{"platform": null, "status": "affected", "versions": {"scheme": "semver", "value": "3.1.0"}}, {"platform": null, "status": "affected", "versions": {"scheme": "semver", "value": "3.1.1"}}, {"platform": null, "status": "affected", "versions": {"scheme": "semver", "value": "3.1.2"}}, {"platform": null, "status": "affected", "versions": {"scheme": "semver", "value": "3.1.3"}}, {"platform": null, "status": "affected", "versions": {"scheme": "semver", "value": "3.1.4"}}, {"platform": null, "status": "affected", "versions": {"scheme": "semver", "value": "3.1.5"}}, {"platform": null, "status": "affected", "versions": {"scheme": "semver", "value": "3.1.6"}}, {"platform": null, "status": "affected", "versions": {"scheme": "semver", "value": "3.1.7"}}, {"platform": null, "status": "affected", "versions": {"scheme": "semver", "value": "3.1.8"}}, {"platform": null, "status": "affected", "versions": {"scheme": "semver", "value": "3.1.9"}}, {"platform": null, "status": "affected", "versions": {"scheme": "semver", "value": "3.1.10"}}, {"platform": null, "status": "affected", "versions": {"scheme": "semver", "value": "3.1.11"}}, {"platform": null, "status": "affected", "versions": {"scheme": "semver", "value": "3.1.12"}}, {"platform": null, "status": "affected", "versions": {"scheme": "semver", "value": "3.1.13"}}, {"platform": null, "status": "affected", "versions": {"scheme": "semver", "value": "3.1.14"}}, {"platform": null, "status": "affected", "versions": {"scheme": "semver", "value": "3.1.15"}}, {"platform": null, "status": "affected", "versions": {"scheme": "semver", "value": "3.1.16"}}, {"platform": null, "status": "affected", "versions": {"scheme": "semver", "value": "3.1.17"}}, {"platform": null, "status": "affected", "versions": {"scheme": "semver", "value": "3.1.18"}}, {"platform": null, "status": "affected", "versions": {"scheme": "semver", "value": "3.1.19"}}, {"platform": null, "status": "affected", "versions": {"scheme": "semver", "value": "3.1.20"}}, {"platform": null, "status": "affected", "versions": {"scheme": "semver", "value": "3.1.21"}}], "enrichment": {"confidence": 70.0, "confidence_source": "inferred", "scores": [{"score": 70.0, "source": "inferred"}, {"score": 100.0, "source": "matching"}]}, "original": {"product": "Akaunting", "source": "cna", "vendor": "n/a"}, "product": "akaunting", "vendor": "akaunting"}], "analysis": {"en": {"generated_at": "2026-04-05T15:50:36.413068+00:00", "value": {"mitigation_remediation": ["Upgrade Akaunting to a version newer than 3.1.21 where the notes field is properly sanitized.", "Restrict the ability to add notes in Invoice/Billing to trusted users and ensure input is validated or escaped before display.", "Configure a web application firewall to block or sanitize malicious scripts in the notes parameter.", "Verify that a vendor patch has been released and monitor for security advisories."], "summary": {"action": "Apply Patch", "impact": "Cross\u2011Site Scripting"}, "threat_synthesis": {"affected_systems": "Akaunting versions up to and including 3.1.21 are affected; no further version details are available.", "description_and_impact": "The vulnerability stems from insufficient validation of the notes argument in Akaunting\u2019s Invoice/Billing module. A malicious payload injected into this field is rendered directly in the browser, allowing an attacker to execute arbitrary JavaScript. This is a classic reflected XSS scenario (CWE\u201179) and, because executable code can be inserted, it also maps to CWE\u201194. If an attacker can deliver a crafted request, the injected script can hijack sessions, steal credentials, or alter page content, potentially compromising data confidentiality and integrity.", "risk_and_exploitability": "The CVSS score of 5.1 classifies this issue as medium severity. The lack of an EPSS score and KEV listing suggests no confirmed large\u2011scale exploitation; however, exploitation is feasible remotely by sending a crafted HTTP request containing malicious content in the notes field. Based on the description, it is unclear whether unauthenticated users or only users with write access to invoices can exploit this flaw."}}}}, "created": "2026-04-06T20:23:23.052835+00:00", "updated": "2026-04-06T21:56:43.937716+00:00", "vendors": ["akaunting", "akaunting$PRODUCT$akaunting"]}