CVE-2026-3050 MEDIUM

CVE-2026-3050: horilla-opensource horilla Leads global.js cross site scripting

Vendor Horilla-Opensource
Product horilla
Weakness CWE-79 · XSS
Published February 24, 2026
Last update February 26, 2026
View on NVD All CVEs

CVSS base score

5.1/10
Attack vector Network
Attack complexity Low
Privileges required Low
User interaction
Confidentiality
Integrity

CVSS vector

CVSS:4.0/AV:N/AC:L/AT:N/PR:L/UI:P/VC:N/VI:L/VA:N/SC:N/SI:N/SA:N/E:P

What the vulnerability does

01Description

A flaw has been found in horilla-opensource horilla up to 1.0.2. Impacted is an unknown function of the file static/assets/js/global.js of the component Leads Module. This manipulation of the argument Notes causes cross site scripting. The attack is possible to be carried out remotely. The exploit has been published and may be used. Upgrading to version 1.0.3 is recommended to address this issue. Patch name: fc5c8e55988e89273012491b5f097b762b474546. It is suggested to upgrade the affected component.

Key dates

02Disclosure timeline

February 24, 2026 CVE published
February 26, 2026 Record updated

Related vulnerabilities

04Related CVE

CVE-2025-32602 WordPress WooMS Plugin <= 9.12 - Reflected Cross Site Scripting (XSS) vulnerability CVE-2024-1164 Brizy – Page Builder <= 2.4.43 - Authenticated(Contributor+) Stored Cross-Site Scripting via Form Functionality CVE-2024-27952 WordPress Advanced Sermons plugin <= 3.2 - Cross Site Scripting (XSS) vulnerability CVE-2022-3209 Soledad < 8.2.5 - Reflected Cross-site Scripting CVE-2025-0599 Stored Cross-site Scripting (XSS) vulnerability affecting Document Management in ENOVIA Collaborative Industry Innovator on Release 3DEXPERIENCE R2024x