Login Sign Up

CVE-2026-3050

3.5 LOW
Cross-Site Scripting

📋 TL;DR

This CVE describes a cross-site scripting (XSS) vulnerability in Horilla CRM's Leads Module. Attackers can inject malicious scripts via the Notes argument in the global.js file, potentially compromising user sessions. Organizations using Horilla CRM versions up to 1.0.2 are affected.

💻 Affected Systems

Products:
  • Horilla CRM
Versions: Up to version 1.0.2
Operating Systems: All
Default Config Vulnerable: ⚠️ Yes
Notes: Affects the Leads Module specifically; requires the module to be enabled and accessible.

📦 What is this software?

Horilla by Horilla

View all CVEs affecting Horilla →

⚠️ Risk & Real-World Impact

🔴

Worst Case

Attackers steal session cookies, hijack user accounts, perform actions as authenticated users, and potentially pivot to internal systems.

🟠

Likely Case

Session hijacking, credential theft, defacement of CRM interface, and data exfiltration from the CRM system.

🟢

If Mitigated

Limited to UI manipulation within the CRM interface if proper input validation and output encoding are implemented.

🌐 Internet-Facing: HIGH
🏢 Internal Only: MEDIUM

🎯 Exploit Status

Public PoC: ⚠️ Yes
Weaponized: LIKELY
Unauthenticated Exploit: ✅ No
Complexity: LOW

Exploit requires user interaction (e.g., viewing malicious notes) but is straightforward to execute once injected.

🛠️ Fix & Mitigation

✅ Official Fix

Patch Version: 1.0.3

Vendor Advisory: https://github.com/horilla-opensource/horilla-crm/releases/tag/1.0.3

Restart Required: Yes

Instructions:

1. Backup your Horilla CRM instance. 2. Download version 1.0.3 from the official GitHub releases. 3. Replace the affected files, particularly static/assets/js/global.js. 4. Restart the Horilla CRM service. 5. Verify the patch by checking the commit hash fc5c8e55988e89273012491b5f097b762b474546 is applied.

🔧 Temporary Workarounds

Disable Leads Module

all

Temporarily disable the affected Leads Module to prevent exploitation.

Modify Horilla CRM configuration to disable the Leads Module (specific commands depend on deployment).

Implement WAF Rules

all

Configure web application firewall to block XSS payloads in the Notes parameter.

Add WAF rule to filter malicious scripts in POST/GET requests to Leads endpoints.

🧯 If You Can't Patch

  • Implement strict input validation and output encoding for the Notes field in the Leads Module.
  • Restrict access to the Horilla CRM instance using network segmentation and strong authentication.

🔍 How to Verify

Check if Vulnerable:

Check if your Horilla CRM version is 1.0.2 or earlier and if the Leads Module is enabled.

Check Version:

Check the version in Horilla CRM's admin interface or configuration files.

Verify Fix Applied:

Verify that the commit fc5c8e55988e89273012491b5f097b762b474546 is present in your installation and test XSS payloads in the Notes field.

📡 Detection & Monitoring

Log Indicators:

  • Unusual script tags or JavaScript in Notes field logs
  • Multiple failed XSS attempts in web server logs

Network Indicators:

  • HTTP requests containing script tags or encoded payloads to Leads endpoints

SIEM Query:

Search for patterns like '<script>' or 'javascript:' in URI or POST data to /leads/* endpoints.

📊 Metadata

CVE ID: CVE-2026-3050
CVSS v3 Score: 3.5 (LOW)
CVSS Vector: CVSS:3.1/AV:N/AC:L/PR:L/UI:R/S:U/C:N/I:L/A:N
CWE: CWE-79
Published: February 24, 2026
Last Updated: February 25, 2026

🔗 References

📤 Share & Export

📄 Export Markdown 📋 Export JSON

🔗 Related Vulnerabilities

If you're affected by CVE-2026-3050, you might also want to check these:

CVE-2021-39199 10.0

CVE-2021-39199 is a critical cross-site scripting (XSS) vulnerability in the remark-html Node.js lib...

Same vulnerability type (CWE-79)
CVE-2021-32671 10.0

This vulnerability in Flarum forum software allows attackers to inject malicious HTML/JavaScript int...

Same vulnerability type (CWE-79)
CVE-2021-32798 10.0

CVE-2021-32798 is a critical vulnerability in Jupyter Notebook that allows malicious notebook files ...

Same vulnerability type (CWE-79)