CVE-2024-22836

CRITICAL

Akaunting <3.1.3 - Command Injection

Title source: llm

Description

An OS command injection vulnerability exists in Akaunting v3.1.3 and earlier. An attacker can manipulate the company locale when installing an app to execute system commands on the hosting server.

Exploits (1)

exploitdb WORKING POC

by u32i · textwebappsphp

https://www.exploit-db.com/exploits/51870

View Code ZIP pw:eip

References (3)

[Product] https://akaunting.com/

[Release Notes] https://github.com/akaunting/akaunting/releases/tag/3.1.4

[Third Party Advisory] https://github.com/u32i/cve/tree/main/CVE-2024-22836

Scores

CVSS v3 9.8

EPSS 0.3820

EPSS Percentile 97.2%

Attack Vector NETWORK

CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H

Details

CWE

CWE-78

Status published

Products (1)

akaunting/akaunting < 3.1.4

Published Feb 08, 2024

Tracked Since Feb 18, 2026