Home

Description

Akaunting 3.1.8 contains a server-side template injection vulnerability that allows authenticated administrators to execute template expressions in multiple form input fields. Attackers can inject template payloads in items, taxes, transactions, and vendor name fields to perform arithmetic operations and string manipulations.

PUBLISHED Reserved 2025-12-11 | Published 2025-12-11 | Updated 2025-12-16 | Assigner VulnCheck




HIGH: 8.6CVSS:4.0/AV:N/AC:L/AT:N/PR:H/UI:N/VC:H/VI:H/VA:H/SC:N/SI:N/SA:N

Problem types

CWE-1336: Improper Neutralization of Special Elements Used in a Template Engine

Product status

Default status
unaffected

3.1.8
affected

Credits

tmrswrr finder

References

www.exploit-db.com/exploits/52030 (ExploitDB-52030) exploit

akaunting.com/forum (Vendor Homepage) product

www.softaculous.com/apps/erp/Akaunting (Software Link) product

www.vulncheck.com/...late-injection-via-multiple-form-fields (VulnCheck Advisory: Akaunting 3.1.8 Server-Side Template Injection via Multiple Form Fields) third-party-advisory

cve.org (CVE-2024-58293)

nvd.nist.gov (CVE-2024-58293)

Download JSON

Data based on CVE®. Copyright © 1999-2025, The MITRE Corporation. All rights reserved.