CVE-2024-58293

HIGH

Akaunting 3.1.8 - Authenticated Server-Side Template Injection via Form Input Fields

Title source: llm
STIX 2.1

Exploitation Summary

EIP tracks 1 public exploit for CVE-2024-58293. PoCs published by tmrswrr.

AI-analyzed exploit summary This exploit demonstrates Server-Side Template Injection (SSTI) in Akaunting 3.1.8 by injecting Twig template expressions into input fields, resulting in arbitrary code execution on the server. The PoC provides clear steps to reproduce the vulnerability in multiple modules.

Description

Akaunting 3.1.8 contains a server-side template injection vulnerability that allows authenticated administrators to execute template expressions in multiple form input fields. Attackers can inject template payloads in items, taxes, transactions, and vendor name fields to perform arithmetic operations and string manipulations.

Exploits (1)

exploitdb WORKING POC
by tmrswrr · textwebappsphp
https://www.exploit-db.com/exploits/52030

This exploit demonstrates Server-Side Template Injection (SSTI) in Akaunting 3.1.8 by injecting Twig template expressions into input fields, resulting in arbitrary code execution on the server. The PoC provides clear steps to reproduce the vulnerability in multiple modules.

Classification
Working Poc 90%
Attack Type
Rce
Complexity
Trivial
Reliability
Reliable
Target: Akaunting 3.1.8
Auth required
Prerequisites: Admin credentials · Access to vulnerable Akaunting instance
devstral-2 · analyzed Feb 16, 2026 Full analysis →

References (4)

Core 4
Core References
Exploit, Third Party Advisory exploit
https://www.exploit-db.com/exploits/52030
Various Sources product
https://akaunting.com/forum

Scores

CVSS v4 8.6
EPSS 0.0006
EPSS Percentile 17.8%
CVSS:4.0/AV:N/AC:L/AT:N/PR:H/UI:N/VC:H/VI:H/VA:H/SC:N/SI:N/SA:N

CISA SSVC

Vulnrichment
Exploitation poc
Automatable no
Technical Impact total

Details

CWE
CWE-1336
Status published
Products (1)
Akaunting/Akaunting 3.1.8
Published Dec 11, 2025
Tracked Since Feb 18, 2026