Platform
javascript
Component
horilla
Fixed in
1.0.1
1.0.2
1.0.3
CVE-2026-3050 describes a cross-site scripting (XSS) vulnerability discovered in the horilla Leads Module. This flaw allows attackers to inject malicious scripts into the application, potentially compromising user data and session integrity. The vulnerability affects versions 1.0.0 through 1.0.3 of the Leads Module, and a fix is available in version 1.0.3.
An attacker can exploit this XSS vulnerability by crafting a malicious payload within the 'Notes' field of the Leads Module. This payload, when processed by the application, will be executed in the context of a user's browser. This could lead to session hijacking, defacement of the application, or the theft of sensitive information like login credentials. The remote nature of the vulnerability means an attacker doesn't need local access to exploit it, significantly expanding the potential attack surface. The published proof-of-concept increases the likelihood of exploitation.
A proof-of-concept (PoC) for CVE-2026-3050 has been published, indicating a relatively high likelihood of exploitation. The vulnerability is not currently listed on CISA KEV, and the EPSS score is pending evaluation. The public availability of the PoC suggests that attackers are actively seeking to exploit this vulnerability.
Exploit Status
EPSS
0.03% (10% percentile)
CISA SSVC
CVSS Vector
The primary mitigation for CVE-2026-3050 is to upgrade the horilla Leads Module to version 1.0.3 or later. If an immediate upgrade is not possible, consider implementing input validation and sanitization on the 'Notes' field to prevent the injection of malicious scripts. Web application firewalls (WAFs) configured to detect and block XSS payloads can also provide a temporary layer of protection. Verify the upgrade by attempting to submit a crafted payload in the 'Notes' field after the upgrade; the payload should be properly sanitized and not execute.
Update horilla to version 1.0.3 or later. This version contains a fix for the cross-site scripting (Cross-Site Scripting) vulnerability. The update can be performed by downloading the latest version of the software and replacing the existing files.
Vulnerability analysis and critical alerts directly to your inbox.
CVE-2026-3050 is a cross-site scripting vulnerability affecting horilla Leads Module versions 1.0.0–1.0.3, allowing attackers to inject malicious scripts.
Yes, if you are using horilla Leads Module versions 1.0.0 through 1.0.2, you are vulnerable to this XSS attack.
Upgrade the horilla Leads Module to version 1.0.3 or later to resolve this vulnerability. Input validation is a temporary workaround.
A proof-of-concept has been published, suggesting a high likelihood of active exploitation.
Refer to the horilla project's official website or repository for the latest security advisories and updates related to CVE-2026-3050.
Upload your dependency file and we'll tell you instantly if this and other CVEs hit you.