CVE-2024-22836

CRITICAL

Akaunting <3.1.3 - Command Injection

Title source: llm
STIX 2.1

Exploitation Summary

EIP tracks 1 public exploit for CVE-2024-22836. PoCs published by u32i.

AI-analyzed exploit summary This exploit leverages a command injection vulnerability in Akaunting < 3.1.3 by manipulating the 'locale' parameter during company setup, followed by triggering execution via app installation. It requires authentication and uses CSRF tokens for session validation.

Description

An OS command injection vulnerability exists in Akaunting v3.1.3 and earlier. An attacker can manipulate the company locale when installing an app to execute system commands on the hosting server.

Exploits (1)

exploitdb WORKING POC
by u32i · textwebappsphp
https://www.exploit-db.com/exploits/51870

This exploit leverages a command injection vulnerability in Akaunting < 3.1.3 by manipulating the 'locale' parameter during company setup, followed by triggering execution via app installation. It requires authentication and uses CSRF tokens for session validation.

Classification
Working Poc 95%
Attack Type
Rce
Complexity
Moderate
Reliability
Reliable
Target: Akaunting <= 3.1.3
Auth required
Prerequisites: Valid user credentials · Access to the target application · CSRF token retrieval
devstral-2 · analyzed Feb 16, 2026 Full analysis →

References (3)

Core 3

Scores

CVSS v3 9.8
EPSS 0.3820
EPSS Percentile 97.3%
Attack Vector NETWORK
CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H

CISA SSVC

Vulnrichment
Exploitation poc
Automatable no
Technical Impact total

Details

CWE
CWE-78
Status published
Products (1)
akaunting/akaunting < 3.1.4
Published Feb 08, 2024
Tracked Since Feb 18, 2026