← back
CVE-2026-3050

horilla-opensource horilla Leads global.js cross site scripting

CVSS 5.1 MEDIUMEPSS 0.2%CWE-79CWE-94
Vexday Risk Score
13Low
SSVC decision (CISA)
Track
No exploitation signal → monitor
CVSS 5.1EPSS 0.2%KEV nãoPoC Nuclei Metasploit Patch referenciado
Lifecycle
24 Feb 2026Published on NVD
Recommendation: Monitor — no exploitation signal at the moment.
A flaw has been found in horilla-opensource horilla up to 1.0.2. Impacted is an unknown function of the file static/assets/js/global.js of the component Leads Module. This manipulation of the argument Notes causes cross site scripting. The attack is possible to be carried out remotely. The exploit has been published and may be used. Upgrading to version 1.0.3 is recommended to address this issue. Patch name: fc5c8e55988e89273012491b5f097b762b474546. It is suggested to upgrade the affected component.
CVSS:4.0/AV:N/AC:L/AT:N/PR:L/UI:P/VC:N/VI:L/VA:N/SC:N/SI:N/SA:N/E:P
Affected products
horilla-opensource · horilla

Want to know if your infrastructure is exposed to this?

Talk to TrueHacking →
References
https://github.com/Horilla-opensource/Horilla-crm/commit/fc5c8e55988e89273012491b5f097b762b474546https://github.com/horilla-opensource/horilla-crm/releases/tag/1.0.3https://github.com/Stolichnayer/Horilla-CRM-Stored-XSShttps://vuldb.com/?ctiid.347408https://vuldb.com/?id.347408https://vuldb.com/?submit.757314