CVE-2026-41469
Beghelli Sicuro24 SicuroWeb Missing Content Security Policy
CVSS Score
5.2
EPSS Score
0.0%
EPSS Percentile
0th
Beghelli Sicuro24 SicuroWeb does not enforce a Content Security Policy, allowing unrestricted loading of external JavaScript resources from attacker-controlled origins. When chained with the template injection and sandbox escape vulnerabilities present in the same application, the absence of CSP removes the browser-enforced restriction that would otherwise block external script execution, enabling attackers to load arbitrary remote payloads into operator browser sessions.
| CWE | CWE-693 |
| Vendor | beghelli |
| Product | sicuroweb (sicuro24) |
| Published | Apr 22, 2026 |
| Last Updated | Apr 22, 2026 |
Stay Ahead of the Next One
Get instant alerts for beghelli sicuroweb (sicuro24)
Be the first to know when new medium vulnerabilities affecting beghelli sicuroweb (sicuro24) are published โ delivered to Slack, Telegram or Discord.
Get Free Alerts โ
Free ยท No credit card ยท 60 sec setup
CVSS v3 Breakdown
CVSS:3.1/AV:A/AC:L/PR:N/UI:R/S:C/C:L/I:L/A:N Attack Vector
Adjacent
Attack Complexity
Low
Privileges Required
None
User Interaction
Required
Scope
Changed
Confidentiality
Low
Integrity
Low
Availability
None
Affected Versions
Beghelli / SicuroWeb (Sicuro24)
0
References
boffsec-services.com: https://www.boffsec-services.com/posts/sicuroweb-cve-2026-22191/ github.com: https://github.com/kmkz/Exploits/blob/master/2026/CVE-2026-22191-POC.py github.com: https://github.com/kmkz/Exploits/blob/master/2026/CVE-2026-22191-SicuroWeb-ATI-chain.txt beghelli.it: https://www.beghelli.it vulncheck.com: https://www.vulncheck.com/advisories/beghelli-sicuro24-sicuroweb-missing-content-security-policy
Credits
Jean-Marie Bourbon of Bourbon Offensive Security Services VulnCheck