SicuroWeb AngularJS Template Injection RCE Chain Analysis (CVE-2026-22191)

Vulnerability Overview Vulnerability Name: CVE-2026-22191-SicuroWeb-ATI-chain.txt Vulnerability Type: AngularJS Template Injection Discovery Time: 2024/04/2025 Report Time: 2024/08/2025 Coordinated Disclosure Time: 2025/02/2025 Wolvencheck Submission Time: 2025/02/2025 VulnCheck Assignment Time: 2025/04/2025 Public Disclosure Time: 2026/04/22/2026 Impact Scope Affected Product: SicuroWeb (Sicuro24 management interface) Vendor: Beghell (https://www.beghell.it/en-de) Affected Versions: All versions embedding AngularJS < 1.6 Component: AngularJS-based web front-end Patch Status: NO PATCH AVAILABLE Remediation Measures Upgrade AngularJS: Upgrade to version 1.6 or migrate to a maintained framework Deploy Restrictive CSP: Use (no nonce) Enforce HTTPS/TLS + HSTS: Eliminate MITM delivery vector Sanitize Template Rendering: Prevent user input from reaching Network Segmentation: Restrict access to management VLAN If Unused: Disable the interface POC Code Other Key Information CVSS Score: 9.3 (Critical) Vector: AV:N / AC:L / PR:N / UI:N / S:U / C:H / I:H / A:L Description: SicuroWeb improperly renders untrusted values within the AngularJS template context, allowing attacker-controlled AngularJS expressions to be evaluated at runtime. The template path is exposed via directory listing. Impact: - Injection of arbitrary AngularJS expressions - Initial foothold for client-side code execution (within sandbox) Exploitation Chain: 1. Unauthenticated directory listing exposes AngularJS templates 2. CVE-2026-22191: Template injection enables expression evaluation 3. CVE-2026-41468: Constructor prototype traversal bypasses AngularJS sandbox 4. MITM on plaintext HTTP (no HTTPS/HSTS) injects payload into response 5. CVE-2026-41469: Absence of CSP allows external script loading + localStorage persistence without further MITM Overall Impact: - Arbitrary JavaScript execution in unauthorized operator sessions - Persistent compromise of browser-based management interface - Manipulation of electrical system management UI (OT environment) - Lateral movement/pivoting from compromised browser session - Remote code execution on domain-joined systems References: - https://vulncheck.com (CVE-2026-22191, CVE-2026-41468, CVE-2026-41469) - https://cve.mitre.org/data/definitions/79.html - https://cve.mitre.org/data/definitions/64.html - https://cve.mitre.org/data/definitions/693.html - https://cve.mitre.org/data/definitions/1336.html - https://kmkz.github.io/posts/sicuroweb-cve-2026-22191/ Author: @kmkz_security - boffsec-services.com

Goal Reached Thanks to every supporter — we hit 100%!

SicuroWeb AngularJS Template Injection RCE Chain Analysis (CVE-2026-22191)

More from this source