Medium severity5.2NVD Advisory· Published Apr 22, 2026· Updated Apr 22, 2026
CVE-2026-41469
CVE-2026-41469
Description
Beghelli Sicuro24 SicuroWeb does not enforce a Content Security Policy, allowing unrestricted loading of external JavaScript resources from attacker-controlled origins. When chained with the template injection and sandbox escape vulnerabilities present in the same application, the absence of CSP removes the browser-enforced restriction that would otherwise block external script execution, enabling attackers to load arbitrary remote payloads into operator browser sessions.
AI Insight
LLM-synthesized narrative grounded in this CVE's description and references.
Affected products
1Patches
Vulnerability mechanics
References
5- github.com/kmkz/Exploits/blob/master/2026/CVE-2026-22191-POC.pynvd
- github.com/kmkz/Exploits/blob/master/2026/CVE-2026-22191-SicuroWeb-ATI-chain.txtnvd
- www.beghelli.itnvd
- www.boffsec-services.com/posts/sicuroweb-cve-2026-22191/nvd
- www.vulncheck.com/advisories/beghelli-sicuro24-sicuroweb-missing-content-security-policynvd
News mentions
0No linked articles in our index yet.