CVE-2026-41468
Beghelli Sicuro24 SicuroWeb AngularJS Sandbox Escape via Template Injection
CVSS Score
8.7
EPSS Score
0.0%
EPSS Percentile
0th
Beghelli Sicuro24 SicuroWeb embeds AngularJS 1.5.2, an end-of-life component containing known sandbox escape primitives. When combined with template injection present in the same application, these primitives allow attackers to escape the AngularJS sandbox and achieve arbitrary JavaScript execution in operator browser sessions, enabling session hijacking, DOM manipulation, and persistent browser compromise. Network-adjacent attackers can deliver the complete injection and escape chain via MITM in plaintext HTTP deployments without active user interaction.
| CWE | CWE-1104 |
| Vendor | beghelli |
| Product | sicuroweb (sicuro24) |
| Published | Apr 22, 2026 |
| Last Updated | Apr 22, 2026 |
Stay Ahead of the Next One
Get instant alerts for beghelli sicuroweb (sicuro24)
Be the first to know when new high vulnerabilities affecting beghelli sicuroweb (sicuro24) are published โ delivered to Slack, Telegram or Discord.
Get Free Alerts โ
Free ยท No credit card ยท 60 sec setup
CVSS v3 Breakdown
CVSS:3.1/AV:A/AC:L/PR:N/UI:R/S:C/C:H/I:H/A:L Attack Vector
Adjacent
Attack Complexity
Low
Privileges Required
None
User Interaction
Required
Scope
Changed
Confidentiality
High
Integrity
High
Availability
Low
Affected Versions
Beghelli / SicuroWeb (Sicuro24)
0
References
boffsec-services.com: https://www.boffsec-services.com/posts/sicuroweb-cve-2026-22191/ github.com: https://github.com/kmkz/Exploits/blob/master/2026/CVE-2026-22191-POC.py github.com: https://github.com/kmkz/Exploits/blob/master/2026/CVE-2026-22191-SicuroWeb-ATI-chain.txt beghelli.it: https://www.beghelli.it vulncheck.com: https://www.vulncheck.com/advisories/beghelli-sicuro24-sicuroweb-angularjs-sandbox-escape-via-template-injection
Credits
Jean-Marie Bourbon of Bourbon Offensive Security Services VulnCheck