1.0.1
1.0.2
1.0.3
CVE-2026-3050 describes a cross-site scripting (XSS) vulnerability discovered in the horilla Leads Module. This flaw allows attackers to inject malicious scripts into the application, potentially compromising user data and session integrity. The vulnerability affects versions 1.0.0 through 1.0.3 of the Leads Module, and a fix is available in version 1.0.3.
An attacker can exploit this XSS vulnerability by crafting a malicious payload within the 'Notes' field of the Leads Module. This payload, when processed by the application, will be executed in the context of a user's browser. This could lead to session hijacking, defacement of the application, or the theft of sensitive information like login credentials. The remote nature of the vulnerability means an attacker doesn't need local access to exploit it, significantly expanding the potential attack surface. The published proof-of-concept increases the likelihood of exploitation.
A proof-of-concept (PoC) for CVE-2026-3050 has been published, indicating a relatively high likelihood of exploitation. The vulnerability is not currently listed on CISA KEV, and the EPSS score is pending evaluation. The public availability of the PoC suggests that attackers are actively seeking to exploit this vulnerability.
Organizations using horilla with the Leads Module installed and running versions 1.0.0 through 1.0.2 are at immediate risk. Shared hosting environments where multiple users share the same instance of horilla are particularly vulnerable, as an attacker could potentially compromise other users' accounts through this XSS vulnerability.
• javascript: Inspect the static/assets/js/global.js file for any unusual or suspicious code related to handling user input, particularly the 'Notes' field.
• generic web: Monitor access logs for requests containing unusual or obfuscated JavaScript code in the 'Notes' parameter. Look for patterns indicative of XSS attempts.
• generic web: Examine response headers for signs of script injection or unexpected behavior.
• wordpress: Check plugin files for the presence of the vulnerable global.js file and any modifications to its handling of user input.
disclosure
漏洞利用状态
EPSS
0.03% (10% 百分位)
CISA SSVC
CVSS 向量
The primary mitigation for CVE-2026-3050 is to upgrade the horilla Leads Module to version 1.0.3 or later. If an immediate upgrade is not possible, consider implementing input validation and sanitization on the 'Notes' field to prevent the injection of malicious scripts. Web application firewalls (WAFs) configured to detect and block XSS payloads can also provide a temporary layer of protection. Verify the upgrade by attempting to submit a crafted payload in the 'Notes' field after the upgrade; the payload should be properly sanitized and not execute.
将 horilla 升级到 1.0.3 或更高版本。此版本包含跨站脚本漏洞的修复。可以通过下载最新版本的软件并替换现有文件来执行升级。
漏洞分析和关键警报直接发送到您的邮箱。
CVE-2026-3050 is a cross-site scripting vulnerability affecting horilla Leads Module versions 1.0.0–1.0.3, allowing attackers to inject malicious scripts.
Yes, if you are using horilla Leads Module versions 1.0.0 through 1.0.2, you are vulnerable to this XSS attack.
Upgrade the horilla Leads Module to version 1.0.3 or later to resolve this vulnerability. Input validation is a temporary workaround.
A proof-of-concept has been published, suggesting a high likelihood of active exploitation.
Refer to the horilla project's official website or repository for the latest security advisories and updates related to CVE-2026-3050.