Primary

Context

Akaunting Server-Side Template Injection Vulnerability

Vulnerability

A server-side template injection vulnerability has been identified in Akaunting version 3.1.8. This vulnerability allows authenticated administrators to execute template expressions in various form input fields, including items, taxes, transactions, and vendor name fields. The injection can be used to perform arithmetic operations and string manipulations.

Impact

Exploitation of this vulnerability allows for server-side template injection, where an attacker can execute arbitrary template code on the server.

Reproduction

To reproduce this vulnerability, log in as an administrator and navigate to any of the following sections: Items, Taxes, Transactions, or Vendors. In the relevant 'Name' or 'Description' fields, inject a template payload such as '{{7*7}}'. After saving, the injected payload will be executed, demonstrating the template injection vulnerability.

Added: Dec 11, 2025, 10:37 PM

Updated: Dec 11, 2025, 10:37 PM

Vulnerability Rating

Custom Algorithm

spread

3.1

impact

1.3

exploitability

6.1

remediation

0.0

relevance

1.3

threat

6.4

urgency

2.9

incentive

1.7

Our algorithm analyzes dozens of metrics to generate these 8 key vulnerability categories, which are then combined to calculate the overall risk score.

Vulnerability Rating

Custom Algorithm

spread

3.1

impact

1.3

exploitability

6.1

remediation

0.0

relevance

1.3

threat

6.4

urgency

2.9

incentive

1.7

Our algorithm analyzes dozens of metrics to generate these 8 key vulnerability categories, which are then combined to calculate the overall risk score.

Akaunting Server-Side Template Injection Vulnerability

Vulnerability

Impact

Reproduction

Affected Products

Akaunting

CVSS Scores

References

Vulnerability Rating

Vulnerability Rating