Home

Description

Beghelli Sicuro24 SicuroWeb contains a template injection vulnerability that allows attackers to inject arbitrary AngularJS expressions by exploiting improper rendering of untrusted input in AngularJS template contexts. Attackers can inject malicious expressions that are compiled and executed by the AngularJS 1.5.2 runtime to achieve arbitrary JavaScript execution in operator browser sessions, with network-adjacent attackers able to deliver payloads via MITM injection in plaintext HTTP deployments.

PUBLISHED Reserved 2026-01-06 | Published 2026-03-13 | Updated 2026-04-22 | Assigner VulnCheck




MEDIUM: 5.1CVSS:4.0/AV:A/AC:L/AT:N/PR:N/UI:P/VC:N/VI:N/VA:N/SC:L/SI:L/SA:N

MEDIUM: 5.2CVSS:3.1/AV:A/AC:L/PR:N/UI:R/S:C/C:L/I:L/A:N

Problem types

CWE-1336 Improper Neutralization of Special Elements Used in a Template Engine

Product status

Default status
unknown

Any version
affected

Credits

Jean-Marie Bourbon of Bourbon Offensive Security Services finder

VulnCheck coordinator

References

www.boffsec-services.com/posts/sicuroweb-cve-2026-22191/ technical-description exploit

github.com/...xploits/blob/master/2026/CVE-2026-22191-POC.py exploit

github.com/...er/2026/CVE-2026-22191-SicuroWeb-ATI-chain.txt technical-description

www.beghelli.it product

www.vulncheck.com/...-sicuroweb-angularjs-template-injection third-party-advisory

cve.org (CVE-2026-22191)

nvd.nist.gov (CVE-2026-22191)

Download JSON