← back
CVE-2026-41469

Beghelli Sicuro24 SicuroWeb Missing Content Security Policy

CVSS 5.1 MEDIUMEPSS 0.2%CWE-693
Beghelli Sicuro24 SicuroWeb does not enforce a Content Security Policy, allowing unrestricted loading of external JavaScript resources from attacker-controlled origins. When chained with the template injection and sandbox escape vulnerabilities present in the same application, the absence of CSP removes the browser-enforced restriction that would otherwise block external script execution, enabling attackers to load arbitrary remote payloads into operator browser sessions.
CVSS:4.0/AV:A/AC:L/AT:N/PR:N/UI:P/VC:N/VI:N/VA:N/SC:L/SI:L/SA:N
Affected products
Beghelli · SicuroWeb (Sicuro24)
public PoCs found2
cve_referencegithub.com/kmkz/Exploits/blob/master/2026/CVE-2026-22191-POC.pyunverifiedcve_referencewww.boffsec-services.com/posts/sicuroweb-cve-2026-22191/unverified
⚠ Public resources, to assess the exposure of systems you control or are authorized to test. Test only with authorization.

Want to know if your infrastructure is exposed to this?

Talk to TrueHacking →
References
https://github.com/kmkz/Exploits/blob/master/2026/CVE-2026-22191-POC.pyhttps://github.com/kmkz/Exploits/blob/master/2026/CVE-2026-22191-SicuroWeb-ATI-chain.txthttps://www.beghelli.ithttps://www.boffsec-services.com/posts/sicuroweb-cve-2026-22191/https://www.vulncheck.com/advisories/beghelli-sicuro24-sicuroweb-missing-content-security-policy