Severity by source
CVSS:4.0/AV:A/AC:L/AT:N/PR:N/UI:P/VC:H/VI:H/VA:L/SC:H/SI:H/SA:L/E:X/CR:X/IR:X/AR:X/MAV:X/MAC:X/MAT:X/MPR:X/MUI:X/MVC:X/MVI:X/MVA:X/MSC:X/MSI:X/MSA:X/S:X/AU:X/R:X/V:X/RE:X/U:X
Primary rating from NVD · only source for this CVE.
CVSS VectorNVD
CVSS:4.0/AV:A/AC:L/AT:N/PR:N/UI:P/VC:H/VI:H/VA:L/SC:H/SI:H/SA:L/E:X/CR:X/IR:X/AR:X/MAV:X/MAC:X/MAT:X/MPR:X/MUI:X/MVC:X/MVI:X/MVA:X/MSC:X/MSI:X/MSA:X/S:X/AU:X/R:X/V:X/RE:X/U:X
Lifecycle Timeline
6DescriptionCVE.org
Beghelli Sicuro24 SicuroWeb embeds AngularJS 1.5.2, an end-of-life component containing known sandbox escape primitives. When combined with template injection present in the same application, these primitives allow attackers to escape the AngularJS sandbox and achieve arbitrary JavaScript execution in operator browser sessions, enabling session hijacking, DOM manipulation, and persistent browser compromise. Network-adjacent attackers can deliver the complete injection and escape chain via MITM in plaintext HTTP deployments without active user interaction.
AnalysisAI
Template injection combined with AngularJS 1.5.2 sandbox escape primitives in Beghelli Sicuro24 SicuroWeb enables arbitrary JavaScript execution in operator browsers, leading to session hijacking and persistent compromise. Network-adjacent attackers can exploit this via MITM on plaintext HTTP deployments requiring only passive user interaction. Publicly available POC exists (CVE-2026-22191 exploit chain documented by BoffSec Services and kmkz), confirming weaponization risk. CVSS 9.3 reflects adjacent-network access requirement (AV:A), but SSVC indicates total technical impact with POC-confirmed exploitation status.
Technical ContextAI
The vulnerability chains two weaknesses: template injection (the application's failure to properly sanitize user input in AngularJS templates) and use of AngularJS 1.5.2, a framework version released in 2016 and now end-of-life. AngularJS versions prior to 1.6 contain well-documented sandbox escape primitives that allow attackers to break out of the expression language's security sandbox. CWE-1104 (Use of Unmaintained Third Party Components) identifies the root cause as continued reliance on obsolete software with known security deficiencies. When template injection exists, attackers can inject malicious AngularJS expressions that leverage these primitives to execute arbitrary JavaScript outside the intended sandbox constraints. The CPE identifier cpe:2.3:a:beghelli:sicuroweb_(sicuro24) confirms this affects Beghelli's SicuroWeb platform for the Sicuro24 building security system. The CVSS 4.0 vector indicates adjacent network access (AV:A), low attack complexity (AC:L), no required privileges (PR:N), and passive user interaction (UI:P), with high impact to both vulnerable system and subsequent system confidentiality and integrity (VC:H/VI:H/SC:H/SI:H).
RemediationAI
Primary fix: Upgrade SicuroWeb to a patched version that (1) remediates the template injection vulnerability and (2) upgrades AngularJS to version 1.8+ or migrates to a maintained framework like Angular 2+. No specific fix version is documented in available data-contact Beghelli support (https://www.beghelli.it) for patch availability and upgrade timeline. Immediate compensating controls for unpatched systems: (1) Enforce HTTPS with HSTS for all SicuroWeb deployments to prevent MITM injection attacks-this is CRITICAL as AV:A exploitation heavily relies on plaintext HTTP interception; note this does not prevent exploitation by authenticated adjacent attackers but blocks passive MITM chains. (2) Network segmentation: isolate SicuroWeb management interfaces on dedicated VLANs accessible only from trusted administrator workstations, blocking adjacent network access from general building automation segments. (3) Implement Content Security Policy (CSP) headers if application architecture permits, particularly 'script-src' directives to mitigate arbitrary JavaScript execution; however, CSP effectiveness is limited against AngularJS template injection and may break legitimate application functionality-test thoroughly. (4) Deploy network-based intrusion detection (NIDS) to monitor for AngularJS expression patterns in HTTP traffic to SicuroWeb endpoints. Review VulnCheck advisory and BoffSec Services writeup (https://www.boffsec-services.com/posts/sicuroweb-cve-2026-22191/) for attack indicators and detection signatures.
More in Sicuroweb Sicuro24
View allSame technique Code Injection
View allShare
External POC / Exploit Code
Leaving vuln.today
EUVD-2026-25075
GHSA-rc26-p9p7-95f8