← back
CVE-2026-41468

Beghelli Sicuro24 SicuroWeb AngularJS Sandbox Escape via Template Injection

CVSS 9.3 CRITICALEPSS 0.4%CWE-1104
In short

Beghelli Sicuro24 SicuroWeb uses an outdated version of AngularJS that can be bypassed by attackers to run malicious code in a user's browser. This allows criminals to steal sessions, manipulate the page, or take full control of the browser without the user noticing.

Technical detail

The application embeds AngularJS 1.5.2, which contains known sandbox escape primitives exploitable via template injection. Network-adjacent attackers can deliver the injection payload through MITM attacks on plaintext HTTP connections, achieving arbitrary JavaScript execution in operator sessions without user interaction, leading to session hijacking and persistent compromise.

Summary generated and translated by AI from the official description.
Beghelli Sicuro24 SicuroWeb embeds AngularJS 1.5.2, an end-of-life component containing known sandbox escape primitives. When combined with template injection present in the same application, these primitives allow attackers to escape the AngularJS sandbox and achieve arbitrary JavaScript execution in operator browser sessions, enabling session hijacking, DOM manipulation, and persistent browser compromise. Network-adjacent attackers can deliver the complete injection and escape chain via MITM in plaintext HTTP deployments without active user interaction.
CVSS:4.0/AV:A/AC:L/AT:N/PR:N/UI:P/VC:H/VI:H/VA:L/SC:H/SI:H/SA:L
Affected products
Beghelli · SicuroWeb (Sicuro24)
public PoCs found2
cve_referencegithub.com/kmkz/Exploits/blob/master/2026/CVE-2026-22191-POC.pyunverifiedcve_referencewww.boffsec-services.com/posts/sicuroweb-cve-2026-22191/unverified
⚠ Public resources, to assess the exposure of systems you control or are authorized to test. Test only with authorization.

Want to know if your infrastructure is exposed to this?

Talk to TrueHacking →
References
https://github.com/kmkz/Exploits/blob/master/2026/CVE-2026-22191-POC.pyhttps://github.com/kmkz/Exploits/blob/master/2026/CVE-2026-22191-SicuroWeb-ATI-chain.txthttps://www.beghelli.ithttps://www.boffsec-services.com/posts/sicuroweb-cve-2026-22191/https://www.vulncheck.com/advisories/beghelli-sicuro24-sicuroweb-angularjs-sandbox-escape-via-template-injection