CVE-2026-41468 - Vulnerability Analysis
HighCVSS: 8.7Last Updated: April 22, 2026
Beghelli Sicuro24 SicuroWeb - Stored XSS
Published: April 22, 2026Updated: April 22, 2026
Overview
Beghelli Sicuro24 SicuroWeb contains a stored XSS caused by AngularJS 1.5.2 sandbox escape primitives combined with template injection, letting network-adjacent attackers execute arbitrary JavaScript in operator browsers without user interaction.
Severity & Score
Severity: High
CVSS Score: 8.7
Impact
Attackers can execute arbitrary JavaScript in operator browsers, enabling session hijacking, DOM manipulation, and persistent browser compromise.
Mitigation
Update AngularJS to a supported version and fix template injection vulnerabilities; if unavailable, update to the latest SicuroWeb version.
References
- https://github.com/kmkz/Exploits/blob/master/2026/CVE-2026-22191-POC.py
- https://github.com/kmkz/Exploits/blob/master/2026/CVE-2026-22191-SicuroWeb-ATI-chain.txt
- https://www.beghelli.it
- https://www.boffsec-services.com/posts/sicuroweb-cve-2026-22191/
- https://www.vulncheck.com/advisories/beghelli-sicuro24-sicuroweb-angularjs-sandbox-escape-via-template-injection
Related Resources
Details
- CVE ID
- CVE-2026-41468
- Severity
- High
- CVSS Score
- 8.7
- Type
- stored_xss
- Status
- rejected
CWE
- CWE-1104
CVSS Metrics
CVSS:3.1/AV:A/AC:L/PR:N/UI:R/S:C/C:H/I:H/A:L