CVE-2026-41469 MEDIUM

CVE-2026-41469: Beghelli Sicuro24 SicuroWeb Missing Content Security Policy

Vendor Beghelli
Product SicuroWeb (Sicuro24)
Weakness CWE-693
Published April 22, 2026
Last update April 22, 2026

CVSS base score

5.1/10
Attack vector Adjacent
Attack complexity Low
Privileges required None
User interaction
Confidentiality
Integrity

CVSS vector

CVSS:4.0/AV:A/AC:L/AT:N/PR:N/UI:P/VC:N/VI:N/VA:N/SC:L/SI:L/SA:N

What the vulnerability does

01Description

Beghelli Sicuro24 SicuroWeb does not enforce a Content Security Policy, allowing unrestricted loading of external JavaScript resources from attacker-controlled origins. When chained with the template injection and sandbox escape vulnerabilities present in the same application, the absence of CSP removes the browser-enforced restriction that would otherwise block external script execution, enabling attackers to load arbitrary remote payloads into operator browser sessions.

Key dates

02Disclosure timeline

April 22, 2026 CVE published
April 22, 2026 Record updated