QwikSec

Security Database

CVE

CWE

Training

CVE-2026-41468

Published: Apr 22, 2026

Modified: Apr 22, 2026

PUBLISHED

CVSS v3.1

8.7

HIGH

Description

Beghelli Sicuro24 SicuroWeb embeds AngularJS 1.5.2, an end-of-life component containing known sandbox escape primitives. When combined with template injection present in the same application, these primitives allow attackers to escape the AngularJS sandbox and achieve arbitrary JavaScript execution in operator browser sessions, enabling session hijacking, DOM manipulation, and persistent browser compromise. Network-adjacent attackers can deliver the complete injection and escape chain via MITM in plaintext HTTP deployments without active user interaction.

Vendor	Product	Versions
Beghelli	SicuroWeb (Sicuro24)	affected `0`

Weaknesses (CWE)

CVSS v3.1 Details

CVSS v3.1 Vector

CVSS:3.1/AV:A/AC:L/PR:N/UI:R/S:C/C:H/I:H/A:L

Attack Vector

Adjacent

Attack Complexity

Low

Privileges Required

None

User Interaction

Required

Scope

Changed

Confidentiality

High

Integrity

High

Availability

Low

References

https://www.boffsec-services.com/posts/sicuroweb-cve-2026-22191/

technical-description

exploit

https://github.com/kmkz/Exploits/blob/master/2026/CVE-2026-22191-POC.py

exploit

https://github.com/kmkz/Exploits/blob/master/2026/CVE-2026-22191-SicuroWeb-ATI-chain.txt

technical-description

https://www.beghelli.it

product

https://www.vulncheck.com/advisories/beghelli-sicuro24-sicuroweb-angularjs-sandbox-escape-via-template-injection

third-party-advisory

Security Training

Train your team to recognize and prevent security threats with our comprehensive security awareness program.

Vulnerability Scanning

Discover vulnerabilities in your applications and infrastructure before attackers do.