CVE-2024-58293

HIGH

Akaunting 3.1.8 - Code Injection

Title source: llm

Description

Akaunting 3.1.8 contains a server-side template injection vulnerability that allows authenticated administrators to execute template expressions in multiple form input fields. Attackers can inject template payloads in items, taxes, transactions, and vendor name fields to perform arithmetic operations and string manipulations.

Exploits (1)

exploitdb WORKING POC

by tmrswrr · textwebappsphp

https://www.exploit-db.com/exploits/52030

View Code ZIP pw:eip

References (4)

[Various Sources] https://akaunting.com/forum

[Various Sources] https://www.softaculous.com/apps/erp/Akaunting

[Exploit, Third Party Advisory] https://www.exploit-db.com/exploits/52030

[Third Party Advisory] https://www.vulncheck.com/advisories/akaunting-server-side-template-injection-via-multiple-form-fields

Scores

CVSS v4 8.6

EPSS 0.0008

EPSS Percentile 24.3%

CVSS:4.0/AV:N/AC:L/AT:N/PR:H/UI:N/VC:H/VI:H/VA:H/SC:N/SI:N/SA:N

Details

CWE

CWE-1336

Status published

Products (1)

Akaunting/Akaunting 3.1.8

Published Dec 11, 2025

Tracked Since Feb 18, 2026