Description
Beghelli Sicuro24 SicuroWeb contains a template injection vulnerability that allows attackers to inject arbitrary AngularJS expressions by exploiting improper rendering of untrusted input in AngularJS template contexts. Attackers can inject malicious expressions that are compiled and executed by the AngularJS 1.5.2 runtime to achieve arbitrary JavaScript execution in operator browser sessions, with network-adjacent attackers able to deliver payloads via MITM injection in plaintext HTTP deployments.
References (8)
Core 8
Core References
Third Party Advisory
https://www.vulncheck.com/advisories/wpdiscuz-before-server-side-shortcode-injection-via-email-notifications
Technical Description technical-description
https://github.com/kmkz/Exploits/blob/master/2026/CVE-2026-22191-SicuroWeb-ATI-chain.txt
Product product
https://www.beghelli.it
Third Party Advisory third-party-advisory
https://www.vulncheck.com/advisories/beghelli-sicuro24-sicuroweb-angularjs-template-injection
Exploit technical-description
exploit
https://www.boffsec-services.com/posts/sicuroweb-cve-2026-22191/
Scores
CVSS v3
5.2
EPSS
0.0036
EPSS Percentile
27.8%
Attack Vector
ADJACENT_NETWORK
CVSS:3.1/AV:A/AC:L/PR:N/UI:R/S:C/C:L/I:L/A:N
CISA SSVC
Vulnrichment
Exploitation
none
Automatable
yes
Technical Impact
partial
Details
CWE
CWE-1336
Status
published
Products (4)
Beghelli/SicuroWeb (Sicuro24)
gVectors/wpDiscuz
< 7.6.47
gvectors/wpdiscuz
< 7.6.47
gVectors/wpDiscuz
7.6.47
Published
Mar 13, 2026
Tracked Since
Mar 14, 2026