CVE-2026-3050
Cross-Site Scripting in Horilla Leads Module JS Component
Publication date: 2026-02-24
Last updated on: 2026-04-29
Assigner: VulDB
Description
Description
CVSS Scores
EPSS Scores
| Probability: | |
| Percentile: |
Meta Information
Affected Vendors & Products
| Vendor | Product | Version / Range |
|---|---|---|
| horilla | horilla | to 1.0.3 (exc) |
Helpful Resources
Exploitability
| CWE ID | Description |
|---|---|
| CWE-79 | The product does not neutralize or incorrectly neutralizes user-controllable input before it is placed in output that is used as a web page that is served to other users. |
| CWE-94 | The product constructs all or part of a code segment using externally-influenced input from an upstream component, but it does not neutralize or incorrectly neutralizes special elements that could modify the syntax or behavior of the intended code segment. |
Attack-Flow Graph
AI Powered Q&A
How does this vulnerability affect compliance with common standards and regulations (like GDPR, HIPAA)?:
I don't know
Can you explain this vulnerability to me?
[{'type': 'paragraph', 'content': "CVE-2026-3050 is a Stored Cross-Site Scripting (XSS) vulnerability found in Horilla CRM versions up to 1.0.2, specifically in the Leads module's Notes functionality. The issue arises because user-supplied input in the Notes field is not properly sanitized or encoded, allowing an authenticated attacker to inject malicious JavaScript code. This malicious code is stored in the database and executed when other users view or edit the affected note, enabling arbitrary script execution in their browser context."}, {'type': 'paragraph', 'content': 'The vulnerability can be exploited remotely by an attacker with low privileges and requires user interaction. It is caused by improper neutralization of input in the JavaScript file static/assets/js/global.js related to the Leads module.'}, {'type': 'paragraph', 'content': 'The issue was fixed in Horilla CRM version 1.0.3 by integrating the DOMPurify library to sanitize HTML content and block dangerous tags and attributes that could lead to script execution.'}] [1, 3, 4]
How can this vulnerability impact me? :
[{'type': 'paragraph', 'content': 'This vulnerability allows an attacker with authenticated access to inject and execute arbitrary JavaScript code within the context of other users interacting with the affected Notes field. This can lead to several impacts including:'}, {'type': 'list_item', 'content': 'Execution of malicious scripts that can hijack user sessions.'}, {'type': 'list_item', 'content': "Theft of sensitive information accessible through the user's browser."}, {'type': 'list_item', 'content': 'Manipulation of the web application interface or behavior to perform unauthorized actions.'}, {'type': 'list_item', 'content': 'Potential compromise of data integrity by injecting malicious content.'}, {'type': 'paragraph', 'content': 'Because the attack requires user interaction and low privileges, it can be exploited relatively easily by attackers who have access to the system.'}] [1, 3, 4]
How can this vulnerability be detected on my network or system? Can you suggest some commands?
[{'type': 'paragraph', 'content': 'This vulnerability can be detected by attempting to inject a known XSS payload into the Notes field within the Leads module of Horilla CRM and observing if the script executes when the note is edited or viewed.'}, {'type': 'paragraph', 'content': 'A practical detection method involves the following steps:'}, {'type': 'list_item', 'content': 'Log in with an authenticated user account.'}, {'type': 'list_item', 'content': 'Navigate to the Leads section and select a lead.'}, {'type': 'list_item', 'content': 'Go to the Notes and Attachment tab and add a new note.'}, {'type': 'list_item', 'content': "In the Notes field, input a test XSS payload such as `<img src=x onerror=alert('XSS')>`."}, {'type': 'list_item', 'content': 'Save the note and then edit it by clicking the Edit (pencil) icon.'}, {'type': 'paragraph', 'content': 'If the alert box or any JavaScript executes, the system is vulnerable.'}, {'type': 'paragraph', 'content': 'There are no specific network commands provided in the resources, but monitoring HTTP requests to the Notes endpoint for suspicious payloads or using web application scanners that test for stored XSS vulnerabilities in the Notes field can help detect exploitation attempts.'}] [3]
What immediate steps should I take to mitigate this vulnerability?
The primary and recommended immediate mitigation step is to upgrade Horilla CRM to version 1.0.3 or later, which contains the patch that fixes this vulnerability.
The patch includes integration of the DOMPurify library to sanitize HTML content in the Summernote WYSIWYG editor used in the Notes field, preventing malicious script injection.
- Upgrade Horilla CRM to version 1.0.3.
- Apply the patch commit fc5c8e55988e89273012491b5f097b762b474546 if upgrading is not immediately possible.
- Restrict user privileges to limit who can add or edit notes, reducing the risk of exploitation.
- Monitor and audit notes content for suspicious or unexpected scripts.
These steps help prevent exploitation by ensuring user input is properly sanitized and limiting attack surface.