CVE-2021-36800
CRITICAL
Published Aug 4, 20214y ago · Modified Jun 17, 20262w ago
9.1 CVSS 3.1
Published Aug 4, 2021 4y ago
Last Modified Jun 17, 2026 2w ago
Description
Akaunting version 2.1.12 and earlier suffers from a code injection issue in the Money.php component of the application. A POST sent to /{company_id}/sales/invoices/{invoice_id} with an items[0][price] that includes a PHP callable function is executed directly. This issue was fixed in version 2.1.13 of the product.
CVSS Details
Base Score
Exploitability
Impact
Vector string
CVSS:3.1/AV:N/AC:L/PR:H/UI:N/S:C/C:H/I:H/A:H Attack Vector Network
Attack Complexity Low
Privileges Required High
User Interaction None
Scope Changed
Confidentiality High
Integrity High
Availability High
Threat Intelligence
No active exploitation signals — not in CISA KEV and no EPSS score yet.
Exploit & Patch Status
Public Exploit Known
No Patch Available
Weaknesses 1
CWE-94 Improper Control of Generation of Code (Code Injection) Injection
Affected Products 1
| Vendor | Product | Version | Range |
|---|---|---|---|
| akaunting | akaunting | * | <2.1.13 |
References 1
- rapid7.com https://www.rapid7.com/blog/post/2021/07/27/multiple-open-source-web-app-vulnerabilities-fixed/
Remediation
No remediation data recorded yet
Check vendor advisories and the NVD entry for patch availability.