Description
Beghelli Sicuro24 SicuroWeb does not enforce a Content Security Policy, allowing unrestricted loading of external JavaScript resources from attacker-controlled origins. When chained with the template injection and sandbox escape vulnerabilities present in the same application, the absence of CSP removes the browser-enforced restriction that would otherwise block external script execution, enabling attackers to load arbitrary remote payloads into operator browser sessions.
Published: 2026-04-22
Score: 5.1 Medium
EPSS: < 1% Very Low
KEV: No
Impact: Remote code execution
Action: Apply Patch
AI Analysis

Impact

The vulnerability is the lack of a Content Security Policy in Beghelli Sicuro24 SicuroWeb, which allows users to load arbitrary JavaScript from any origin. When combined with the known template injection and sandbox escape flaws, this deficiency removes the browser‑enforced restriction that would otherwise block such external scripts, permitting attackers to inject and execute remote code in operator browser sessions. The flaw is an instance of improper security configuration (CWE‑693).

Affected Systems

Beghelli SicuroWeb (Sicuro24) is the affected product. All deployed versions prior to the patch that implements a Content Security Policy are vulnerable. No specific version numbers are listed in the advisory.

Risk and Exploitability

The CVSS score of 5.1 indicates a moderate impact. The EPSS score is < 1% and the issue is not listed in the CISA KEV catalog. The likely attack vector is client‑side: an attacker who can influence the content displayed to an operator can embed a malicious script, which will then run with the operator’s browser privileges. Chaining with the existing template injection and sandbox escape vulnerabilities can further elevate the risk, enabling full remote code execution. Because the browser restrictions (CSP) are absent, the exploitation path remains feasible as long as an attacker can deliver malicious content to an operator session.

Generated by OpenCVE AI on April 28, 2026 at 07:58 UTC.

Remediation

No vendor fix or workaround currently provided.

OpenCVE Recommended Actions

  • Apply the vendor‑provided patch or update to a version that includes a strict Content Security Policy.
  • Configure the web server to inject a CSP header that blocks scripts from untrusted origins.
  • Limit the use of external JavaScript libraries and third‑party content in operator sessions.
  • Patch or remediate the associated template injection and sandbox escape vulnerabilities to reduce chaining risk.

Generated by OpenCVE AI on April 28, 2026 at 07:58 UTC.

Tracking

Sign in to view the affected projects.

Advisories

No advisories yet.

History

Mon, 27 Apr 2026 20:15:00 +0000

Type Values Removed Values Added
First Time appeared Beghelli
Beghelli sicuroweb (sicuro24)
Vendors & Products Beghelli
Beghelli sicuroweb (sicuro24)

Wed, 22 Apr 2026 19:15:00 +0000

Type Values Removed Values Added
Metrics ssvc

{'options': {'Automatable': 'no', 'Exploitation': 'poc', 'Technical Impact': 'partial'}, 'version': '2.0.3'}

Wed, 22 Apr 2026 19:00:00 +0000

Type Values Removed Values Added
Metrics cvssV3_1

{'score': 5.2, 'vector': 'CVSS:3.1/AV:A/AC:L/PR:N/UI:R/S:C/C:L/I:L/A:N'}

Wed, 22 Apr 2026 18:30:00 +0000

Type Values Removed Values Added
Description Beghelli Sicuro24 SicuroWeb does not enforce a Content Security Policy, allowing unrestricted loading of external JavaScript resources from attacker-controlled origins. When chained with the template injection and sandbox escape vulnerabilities present in the same application, the absence of CSP removes the browser-enforced restriction that would otherwise block external script execution, enabling attackers to load arbitrary remote payloads into operator browser sessions.
Title Beghelli Sicuro24 SicuroWeb Missing Content Security Policy
Weaknesses CWE-693
References
Metrics cvssV4_0

{'score': 5.1, 'vector': 'CVSS:4.0/AV:A/AC:L/AT:N/PR:N/UI:P/VC:N/VI:N/VA:N/SC:L/SI:L/SA:N'}

Subscriptions

Beghelli Sicuroweb (sicuro24)
cve-icon MITRE

Status: PUBLISHED

Assigner: VulnCheck

Published:

Updated: 2026-04-22T18:56:46.982Z

Reserved: 2026-04-20T16:07:47.311Z

Link: CVE-2026-41469

cve-icon Vulnrichment

Updated: 2026-04-22T18:56:29.246Z

cve-icon NVD

Status : Deferred

Published: 2026-04-22T19:17:09.000

Modified: 2026-04-22T21:18:45.917

Link: CVE-2026-41469

cve-icon Redhat

No data.

cve-icon OpenCVE Enrichment

Updated: 2026-04-28T08:00:14Z

Weaknesses