Skip to main content

Beghelli SicuroWeb CVE-2026-41469

| EUVDEUVD-2026-25077 MEDIUM
Protection Mechanism Failure (CWE-693)
2026-04-22 VulnCheck
5.1
CVSS 4.0 · NVD
Share

Severity by source

NVD PRIMARY
5.1 MEDIUM
CVSS:4.0/AV:A/AC:L/AT:N/PR:N/UI:P/VC:N/VI:N/VA:N/SC:L/SI:L/SA:N/E:X/CR:X/IR:X/AR:X/MAV:X/MAC:X/MAT:X/MPR:X/MUI:X/MVC:X/MVI:X/MVA:X/MSC:X/MSI:X/MSA:X/S:X/AU:X/R:X/V:X/RE:X/U:X

Primary rating from NVD · only source for this CVE.

CVSS VectorNVD

CVSS:4.0/AV:A/AC:L/AT:N/PR:N/UI:P/VC:N/VI:N/VA:N/SC:L/SI:L/SA:N/E:X/CR:X/IR:X/AR:X/MAV:X/MAC:X/MAT:X/MPR:X/MUI:X/MVC:X/MVI:X/MVA:X/MSC:X/MSI:X/MSA:X/S:X/AU:X/R:X/V:X/RE:X/U:X
Attack Vector
Adjacent
Attack Complexity
Low
Privileges Required
None
User Interaction
P
Scope
X

Lifecycle Timeline

6
Analysis Generated
Apr 23, 2026 - 07:07 vuln.today
PoC Detected
Apr 22, 2026 - 21:18 vuln.today
Public exploit code
CVSS changed
Apr 22, 2026 - 19:22 NVD
5.1 (MEDIUM)
EUVD ID Assigned
Apr 22, 2026 - 18:31 euvd
EUVD-2026-25077
Analysis Generated
Apr 22, 2026 - 18:31 vuln.today
CVE Published
Apr 22, 2026 - 18:04 nvd
MEDIUM 5.1

DescriptionCVE.org

Beghelli Sicuro24 SicuroWeb does not enforce a Content Security Policy, allowing unrestricted loading of external JavaScript resources from attacker-controlled origins. When chained with the template injection and sandbox escape vulnerabilities present in the same application, the absence of CSP removes the browser-enforced restriction that would otherwise block external script execution, enabling attackers to load arbitrary remote payloads into operator browser sessions.

AnalysisAI

Beghelli SicuroWeb (Sicuro24) lacks Content Security Policy enforcement, permitting unrestricted loading of external JavaScript from attacker-controlled origins. When combined with template injection and sandbox escape flaws in the same application, this missing security header removes browser-enforced protections that would otherwise prevent external script execution, enabling attackers to inject arbitrary remote payloads into operator sessions. Publicly available exploit code exists, and SSVC analysis confirms exploitability is achievable but not automatable, with partial technical impact.

Technical ContextAI

Content Security Policy (CSP) is a browser-enforced security mechanism that restricts the origins from which scripts, stylesheets, fonts, and other resources may be loaded into a webpage. The absence of CSP headers (CWE-693: Missing Authorization) is a control weakness rather than a direct code vulnerability, but becomes critical when paired with code injection flaws. In SicuroWeb, the lack of CSP combined with template injection vulnerabilities creates a multi-stage attack surface: template injection allows injecting script tags or event handlers, and without CSP, the browser will execute any external JavaScript loaded from attacker-controlled domains. The vulnerability is context-dependent on the presence of other flaws (template injection, sandbox escape) but removes a fundamental browser-based defense layer. This attack vector typically targets operator/administrator sessions where elevated privileges exist.

RemediationAI

Apply a vendor-supplied security patch or firmware update from Beghelli; contact Beghelli technical support or monitor their security advisory page (beghelli.it) for a patched version number. As an interim compensating control, implement a Web Application Firewall (WAF) rule set to inject Content-Security-Policy headers with 'default-src self; script-src self' (blocking external script loading) - note this requires WAF deployment in-path and does not address the underlying code injection flaws. Alternatively, restrict operator network access to SicuroWeb through network segmentation or a VPN with additional authentication, reducing the attack surface to trusted operator devices only. Conduct a comprehensive security assessment of SicuroWeb deployments to identify and patch the template injection and sandbox escape vulnerabilities referenced in the CVE description, as these are prerequisites for exploitation. Disable or restrict JavaScript execution in operator browsers if operationally feasible, though this may degrade SicuroWeb functionality.

Share

CVE-2026-41469 vulnerability details – vuln.today

This site uses cookies essential for authentication and security. No tracking or analytics cookies are used. Privacy Policy