CVE-2026-41469
MEDIUMBeghelli Sicuro24 SicuroWeb Missing Content Security Policy
Title source: cnaDescription
Beghelli Sicuro24 SicuroWeb does not enforce a Content Security Policy, allowing unrestricted loading of external JavaScript resources from attacker-controlled origins. When chained with the template injection and sandbox escape vulnerabilities present in the same application, the absence of CSP removes the browser-enforced restriction that would otherwise block external script execution, enabling attackers to load arbitrary remote payloads into operator browser sessions.
References (5)
Core 5
Core References
Technical Description technical-description
https://github.com/kmkz/Exploits/blob/master/2026/CVE-2026-22191-SicuroWeb-ATI-chain.txt
Third Party Advisory third-party-advisory
https://www.vulncheck.com/advisories/beghelli-sicuro24-sicuroweb-missing-content-security-policy
Exploit technical-description
exploit
https://www.boffsec-services.com/posts/sicuroweb-cve-2026-22191/
Product product
https://www.beghelli.it
Scores
CVSS v3
5.2
EPSS
0.0020
EPSS Percentile
10.4%
Attack Vector
ADJACENT_NETWORK
CVSS:3.1/AV:A/AC:L/PR:N/UI:R/S:C/C:L/I:L/A:N
CISA SSVC
Vulnrichment
Exploitation
poc
Automatable
no
Technical Impact
partial
Details
CWE
CWE-693
Status
published
Products (1)
Beghelli/SicuroWeb (Sicuro24)
Published
Apr 22, 2026
Tracked Since
Apr 23, 2026