Medium severity5.2NVD Advisory· Published Apr 22, 2026· Updated Apr 22, 2026
CVE-2026-41469
CVE-2026-41469
Description
Beghelli Sicuro24 SicuroWeb does not enforce a Content Security Policy, allowing unrestricted loading of external JavaScript resources from attacker-controlled origins. When chained with the template injection and sandbox escape vulnerabilities present in the same application, the absence of CSP removes the browser-enforced restriction that would otherwise block external script execution, enabling attackers to load arbitrary remote payloads into operator browser sessions.
Patches
0No patches discovered yet.
Vulnerability mechanics
AI mechanics synthesis has not run for this CVE yet.
References
5- github.com/kmkz/Exploits/blob/master/2026/CVE-2026-22191-POC.pynvd
- github.com/kmkz/Exploits/blob/master/2026/CVE-2026-22191-SicuroWeb-ATI-chain.txtnvd
- www.beghelli.itnvd
- www.boffsec-services.com/posts/sicuroweb-cve-2026-22191/nvd
- www.vulncheck.com/advisories/beghelli-sicuro24-sicuroweb-missing-content-security-policynvd
News mentions
15- What Anthropic’s Mythos Means for the Future of CybersecuritySchneier on Security · Apr 28, 2026
- TeamPCP Supply Chain Campaign: Update 008 - 26-Day Pause Ends with Three Concurrent Compromises (Checkmarx KICS, Bitwarden CLI Cascade, xinference PyPI), CanisterSprawl npm Worm Identified, and Tier 1 Coverage Returns, (Mon, Apr 27th)SANS Internet Storm Center · Apr 27, 2026
- PhantomCore Exploits TrueConf Vulnerabilities to Breach Russian NetworksThe Hacker News · Apr 27, 2026
- It pays to be a forever studentCisco Talos Intelligence · Apr 23, 2026
- ThreatsDay Bulletin: $290M DeFi Hack, macOS LotL Abuse, ProxySmart SIM Farms +25 New StoriesThe Hacker News · Apr 23, 2026
- [Webinar] Mythos Reality Check: Beating Automated Exploitation at AI SpeedThe Hacker News · Apr 23, 2026
- [Podcast] It's not you, it's your printer: State-sponsored and phishing threats in 2025Cisco Talos Intelligence · Apr 21, 2026
- The Q1 vulnerability pulseCisco Talos Intelligence · Apr 16, 2026
- Attackers Actively Exploiting Critical Vulnerability in Ninja Forms – File Upload PluginWordfence Blog · Apr 16, 2026
- Microsoft Patch Tuesday for April 2026 - Snort Rule and Prominent VulnerabilitiesCisco Talos Intelligence · Apr 14, 2026
- Attackers Actively Exploiting Critical Vulnerability in Kali Forms PluginWordfence Blog · Apr 13, 2026
- 50,000 WordPress Sites affected by Arbitrary File Upload Vulnerability in Ninja Forms – File Upload WordPress PluginWordfence Blog · Apr 6, 2026
- 200,000 WordPress Sites Affected by Arbitrary File Deletion Vulnerability in Perfmatters WordPress PluginWordfence Blog · Apr 2, 2026
- ‘CanisterWorm’ Springs Wiper Attack Targeting IranKrebs on Security · Mar 23, 2026
- Defending Against China-Nexus Covert Networks of Compromised DevicesCISA Alerts