CVE-2026-3050 is a cross-site scripting vulnerability identified in the horilla-opensource horilla software, affecting versions 1.0.0 through 1.0.2. The flaw exists in the Leads Module, specifically within the JavaScript file static/assets/js/global.js, where the Notes argument is improperly handled, allowing an attacker to inject malicious scripts. This vulnerability can be exploited remotely without authentication but requires some user interaction, such as a victim clicking a crafted link or viewing manipulated content. The vulnerability’s CVSS 4.0 base score is 5.1, indicating a medium severity level, with attack vector network, low attack complexity, no privileges required, and user interaction needed. The impact primarily affects confidentiality and integrity by enabling attackers to execute arbitrary scripts in the context of the victim’s browser session, potentially leading to session hijacking, credential theft, or unauthorized actions within the application. Although no known exploits are currently active in the wild, the public disclosure and availability of a patch (version 1.0.3) highlight the importance of timely remediation. The vulnerability does not affect availability and does not require special conditions such as scope or privileges beyond low-level access. The patch identified by commit fc5c8e55988e89273012491b5f097b762b474546 addresses the issue by properly sanitizing or encoding the Notes input to prevent script injection. Organizations using horilla-opensource horilla, particularly those leveraging the Leads Module, should prioritize upgrading to the fixed version and review their input validation and content security policies to mitigate potential exploitation.

The primary impact of CVE-2026-3050 is the compromise of confidentiality and integrity within affected horilla-opensource horilla deployments. Successful exploitation allows attackers to execute arbitrary JavaScript in the context of authenticated users, potentially leading to session hijacking, theft of sensitive data such as contact information or credentials, and unauthorized actions performed on behalf of the victim. This can result in data breaches, loss of customer trust, and potential regulatory compliance issues. Since the vulnerability requires user interaction, the attack surface is somewhat limited but remains significant in environments where users access the Leads Module frequently. The vulnerability does not affect system availability, but the indirect consequences of data compromise or unauthorized access can disrupt business operations. Organizations relying on horilla for customer relationship management or lead tracking may face targeted attacks aiming to exfiltrate sensitive business or client information. The medium severity rating suggests moderate urgency, but the public disclosure and existence of a patch increase the risk of exploitation attempts, especially in sectors with high-value data or regulatory scrutiny.

1. Immediate upgrade to horilla-opensource horilla version 1.0.3 or later, which contains the patch addressing the XSS vulnerability. 2. Implement strict input validation and output encoding on all user-supplied data, especially within the Leads Module and any components handling the Notes argument. 3. Deploy Content Security Policy (CSP) headers to restrict the execution of unauthorized scripts and reduce the impact of potential XSS attacks. 4. Conduct security awareness training for users to recognize and avoid suspicious links or content that could trigger XSS exploits. 5. Monitor application logs and network traffic for unusual activity related to the Leads Module or unexpected script execution attempts. 6. Review and harden web application firewall (WAF) rules to detect and block common XSS payloads targeting horilla. 7. Regularly audit and test the application for other potential injection flaws or security weaknesses. 8. Isolate or segment the horilla application environment to limit lateral movement if exploitation occurs. These measures, combined with patching, will significantly reduce the risk posed by this vulnerability.