Description
A flaw has been found in horilla-opensource horilla up to 1.0.2. Impacted is an unknown function of the file static/assets/js/global.js of the component Leads Module. This manipulation of the argument Notes causes cross site scripting. The attack is possible to be carried out remotely. The exploit has been published and may be used. Upgrading to version 1.0.3 is recommended to address this issue. Patch name: fc5c8e55988e89273012491b5f097b762b474546. It is suggested to upgrade the affected component.
Published: 2026-02-24
Score: 5.1 Medium
EPSS: < 1% Very Low
KEV: No
Impact: Cross‑Site Scripting attack vector that can be carried out remotely and executed through unsanitized user input
Action: Apply Patch
AI Analysis

Impact

A flaw was discovered in the Horilla open‑source CRM (up to version 1.0.2) within the Leads module. The vulnerability lies in the static Assets JavaScript file global.js, where the Notes argument is not properly validated. An attacker can supply crafted input that is embedded into the page and executed by a browser, enabling the execution of arbitrary JavaScript code. This form of cross‑site scripting can lead to session hijacking, credential theft, defacement of content, or further lateral movement within the web application. The associated weaknesses are identified as CWE‑79 (XSS) and CWE‑94 (Code Injection).

Affected Systems

The affected product is Horilla‑opensource Horilla CRM, versions up to and including 1.0.2. Affected files include static/assets/js/global.js in the Leads module. Updated release 1.0.3 contains the patch (commit fc5c8e55988e89273012491b5f097b762b474546).

Risk and Exploitability

The CVSS score of 5.1 indicates a moderate severity. The EPSS score of less than 1 % implies a very low probability of exploitation at the time of analysis. The vulnerability is not listed in CISA’s KEV catalog, suggesting no widespread exploitation. The attack can be carried out remotely by submitting malicious Notes content through the web interface. While the low EPSS indicates it is not heavily targeted, the remote nature of the exploit and potential impact on confidentiality, integrity, and availability warrant timely remediation.

Generated by OpenCVE AI on April 17, 2026 at 16:02 UTC.

Remediation

No vendor fix or workaround currently provided.

OpenCVE Recommended Actions

  • Upgrade Horilla CRM to version 1.0.3 or newer to apply the vendor patch
  • Validate and sanitize any user‑supplied Notes input on both client and server sides to prevent script injection
  • Implement a strict Content Security Policy that restricts inline scripts and disallows unsanitized code execution
  • Monitor application logs and user activity for signs of attempted XSS injections and report incidents promptly

Generated by OpenCVE AI on April 17, 2026 at 16:02 UTC.

Tracking

Sign in to view the affected projects.

Advisories

No advisories yet.

History

Fri, 27 Feb 2026 15:15:00 +0000

Type Values Removed Values Added
Metrics ssvc

{'options': {'Automatable': 'no', 'Exploitation': 'none', 'Technical Impact': 'partial'}, 'version': '2.0.3'}

Tue, 24 Feb 2026 01:15:00 +0000

Type Values Removed Values Added
Description A flaw has been found in horilla-opensource horilla up to 1.0.2. Impacted is an unknown function of the file static/assets/js/global.js of the component Leads Module. This manipulation of the argument Notes causes cross site scripting. The attack is possible to be carried out remotely. The exploit has been published and may be used. Upgrading to version 1.0.3 is recommended to address this issue. Patch name: fc5c8e55988e89273012491b5f097b762b474546. It is suggested to upgrade the affected component.
Title horilla-opensource horilla Leads global.js cross site scripting
First Time appeared Horilla
Horilla horilla
Weaknesses CWE-79
CWE-94
CPEs cpe:2.3:a:horilla:horilla:*:*:*:*:*:*:*:*
Vendors & Products Horilla
Horilla horilla
References
Metrics cvssV2_0

{'score': 4, 'vector': 'AV:N/AC:L/Au:S/C:N/I:P/A:N/E:POC/RL:OF/RC:C'}

cvssV3_0

{'score': 3.5, 'vector': 'CVSS:3.0/AV:N/AC:L/PR:L/UI:R/S:U/C:N/I:L/A:N/E:P/RL:O/RC:C'}

cvssV3_1

{'score': 3.5, 'vector': 'CVSS:3.1/AV:N/AC:L/PR:L/UI:R/S:U/C:N/I:L/A:N/E:P/RL:O/RC:C'}

cvssV4_0

{'score': 5.1, 'vector': 'CVSS:4.0/AV:N/AC:L/AT:N/PR:L/UI:P/VC:N/VI:L/VA:N/SC:N/SI:N/SA:N/E:P'}

Subscriptions

Horilla Horilla
cve-icon MITRE

Status: PUBLISHED

Assigner: VulDB

Published:

Updated: 2026-02-26T15:15:35.848Z

Reserved: 2026-02-23T17:42:03.979Z

Link: CVE-2026-3050

cve-icon Vulnrichment

Updated: 2026-02-26T15:15:26.394Z

cve-icon NVD

Status : Analyzed

Published: 2026-02-24T01:16:16.307

Modified: 2026-02-25T20:11:23.160

Link: CVE-2026-3050

cve-icon Redhat

No data.

cve-icon OpenCVE Enrichment

Updated: 2026-04-17T16:15:22Z

Weaknesses