Cyber Resilience

CVE-2024-22836

CriticalRCE

Published: 08 February 2024

Published
08 February 2024
Modified
20 June 2025
KEV Added
Patch
CVSS Score v3.1 9.8 CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H
EPSS Score 0.3820 97.3th percentile
Risk Priority 43 60% EPSS · 20% KEV · 20% CVSS

Summary

CVE-2024-22836 is a critical-severity OS Command Injection (CWE-78) vulnerability in Akaunting Akaunting. Its CVSS base score is 9.8 (Critical).

Operationally, exploitation aligns with the MITRE ATT&CK technique Command and Scripting Interpreter (T1059); ranked in the top 2.7% of CVEs by exploit likelihood; it is not currently listed in the CISA KEV catalog.

Deeper analysis

Akaunting versions 3.1.3 and earlier contain an OS command injection vulnerability tracked as CVE-2024-22836 and assigned CWE-78. The flaw carries a CVSS 3.1 score of 9.8 and permits an unauthenticated remote attacker to execute arbitrary system commands on the underlying server by manipulating the company locale value supplied during app installation.

An attacker needs only network access to the Akaunting instance and the ability to trigger an app install; by supplying a crafted locale string the attacker can inject and execute operating-system commands, resulting in full confidentiality, integrity, and availability impact on the host.

The Akaunting project addressed the issue in release 3.1.4, available at the project’s GitHub repository. Administrators should upgrade immediately and verify that locale-handling code paths no longer accept untrusted input during installation flows. The associated EPSS score has remained flat at 0.38 with no observed rise after disclosure.

EU & UK References

Vulnerability details

An OS command injection vulnerability exists in Akaunting v3.1.3 and earlier. An attacker can manipulate the company locale when installing an app to execute system commands on the hosting server.

CWE(s)

Related Threats

MITRE ATT&CK Enterprise TechniquesAI

T1059 Command and Scripting Interpreter Execution
Adversaries may abuse command and script interpreters to execute commands, scripts, or binaries.
T1190 Exploit Public-Facing Application Initial Access
Adversaries may attempt to exploit a weakness in an Internet-facing host or system to initially access a network.
Why these techniques?

OS command injection in Akaunting web app enables remote exploitation of a public-facing application (T1190) to execute arbitrary system commands (T1059).

Affected Assets

akaunting
akaunting
≤ 3.1.4

Mitigating Controls

Likely Mitigating Controls AI

Per-CVE control mapping for this CVE has not run yet; the list below is derived from the weakness types (CWEs) cited in the NVD entry.

addresses: CWE-78

Platform-independent apps typically execute inside a managed runtime or sandbox that restricts direct OS command execution, reducing the ability to exploit OS command injection.

addresses: CWE-78

Validates inputs to block special elements that would alter OS command execution.

References