CVE-2026-3050
LOW EPSS 12.0%
Published Feb 24, 20264mo ago · Modified Jun 17, 20261w ago
2.0 CVSS 4.0
Published Feb 24, 2026 4mo ago
Last Modified Jun 17, 2026 1w ago
Description
A flaw has been found in horilla-opensource horilla up to 1.0.2. Impacted is an unknown function of the file static/assets/js/global.js of the component Leads Module. This manipulation of the argument Notes causes cross site scripting. The attack is possible to be carried out remotely. The exploit has been published and may be used. Upgrading to version 1.0.3 is recommended to address this issue. Patch name: fc5c8e55988e89273012491b5f097b762b474546. It is suggested to upgrade the affected component.
CVSS Details
Base Score
Exploitability
Impact
Vector string
CVSS:4.0/AV:N/AC:L/AT:N/PR:L/UI:P/VC:N/VI:L/VA:N/SC:N/SI:N/SA:N/E:P/CR:X/IR:X/AR:X/MAV:X/MAC:X/MAT:X/MPR:X/MUI:X/MVC:X/MVI:X/MVA:X/MSC:X/MSI:X/MSA:X/S:X/AU:X/R:X/V:X/RE:X/U:X Attack Vector Network
Attack Complexity Low
Privileges Required Low
User Interaction P
Scope X
Threat Intelligence
EPSS Exploit Probability
12.0% percentile
Exploit & Patch Status
Public Exploit Known
Patch Available
Weaknesses 2
CWE-79 Cross-site Scripting Injection
CWE-94 Improper Control of Generation of Code (Code Injection) Injection
Affected Products 1
| Vendor | Product | Version | Range |
|---|---|---|---|
| horilla | horilla | * | <1.0.3 |
References 6
- github.com https://github.com/Horilla-opensource/Horilla-crm/commit/fc5c8e55988e89273012491b5f097b762b474546
- github.com https://github.com/Stolichnayer/Horilla-CRM-Stored-XSS
- github.com https://github.com/horilla-opensource/horilla-crm/releases/tag/1.0.3
- vuldb.com https://vuldb.com/?ctiid.347408
- vuldb.com https://vuldb.com/?id.347408
- vuldb.com https://vuldb.com/?submit.757314
Remediation
- github.com https://github.com/Horilla-opensource/Horilla-crm/commit/fc5c8e55988e89273012491b5f097b762b474546