CVE-2026-22191

  1. OpenCVE
  2. Vulnerabilities (CVE)
  3. CVE-2026-22191
Beghelli Sicuro24 SicuroWeb contains a template injection vulnerability that allows attackers to inject arbitrary AngularJS expressions by exploiting improper rendering of untrusted input in AngularJS template contexts. Attackers can inject malicious expressions that are compiled and executed by the AngularJS 1.5.2 runtime to achieve arbitrary JavaScript execution in operator browser sessions, with network-adjacent attackers able to deliver payloads via MITM injection in plaintext HTTP deployments.

5.2 /10

CVSS v3 : MEDIUM

V3 Legend

Vector :

Exploitability : 2.1 / Impact : 2.7

Attack Vector ADJACENT_NETWORK

Attack Complexity LOW

Privileges Required NONE

User Interaction REQUIRED

Confidentiality Impact LOW

Integrity Impact LOW

Availability Impact NONE

Scope CHANGED

References
Link Resource
https://github.com/kmkz/Exploits/blob/master/2026/CVE-2026-22191-POC.py
https://github.com/kmkz/Exploits/blob/master/2026/CVE-2026-22191-SicuroWeb-ATI-chain.txt
https://www.beghelli.it
https://www.boffsec-services.com/posts/sicuroweb-cve-2026-22191/
https://www.vulncheck.com/advisories/beghelli-sicuro24-sicuroweb-angularjs-template-injection
Configurations

Configuration 1 (hide)

cpe:2.3:a:gvectors:wpdiscuz:*:*:*:*:*:wordpress:*:*
History

22 Apr 2026, 19:17

Type Values Removed Values Added
References
  • {'url': 'https://wordpress.org/plugins/wpdiscuz/', 'tags': ['Product'], 'source': 'disclosure@vulncheck.com'}
  • {'url': 'https://wordpress.org/plugins/wpdiscuz/#developers', 'tags': ['Product', 'Release Notes'], 'source': 'disclosure@vulncheck.com'}
  • {'url': 'https://www.vulncheck.com/advisories/wpdiscuz-before-server-side-shortcode-injection-via-email-notifications', 'tags': ['Third Party Advisory'], 'source': 'disclosure@vulncheck.com'}
  • () https://github.com/kmkz/Exploits/blob/master/2026/CVE-2026-22191-POC.py -
  • () https://github.com/kmkz/Exploits/blob/master/2026/CVE-2026-22191-SicuroWeb-ATI-chain.txt -
  • () https://www.beghelli.it -
  • () https://www.boffsec-services.com/posts/sicuroweb-cve-2026-22191/ -
  • () https://www.vulncheck.com/advisories/beghelli-sicuro24-sicuroweb-angularjs-template-injection -
Summary (en) wpDiscuz before 7.6.47 contains a shortcode injection vulnerability that allows attackers to execute arbitrary shortcodes by including them in comment content sent via email notifications. Attackers can inject shortcodes like [contact-form-7] or [user_meta] in comments, which are executed server-side when the WpdiscuzHelperEmail class processes notifications through do_shortcode() before wp_mail(). (en) Beghelli Sicuro24 SicuroWeb contains a template injection vulnerability that allows attackers to inject arbitrary AngularJS expressions by exploiting improper rendering of untrusted input in AngularJS template contexts. Attackers can inject malicious expressions that are compiled and executed by the AngularJS 1.5.2 runtime to achieve arbitrary JavaScript execution in operator browser sessions, with network-adjacent attackers able to deliver payloads via MITM injection in plaintext HTTP deployments.
CVSS v2 : unknown
v3 : 6.5 		v2 : unknown
v3 : 5.2
CWE CWE-94 CWE-1336

23 Mar 2026, 17:06

Type Values Removed Values Added
CPE cpe:2.3:a:gvectors:wpdiscuz:*:*:*:*:*:wordpress:*:*
First Time Gvectors
Gvectors wpdiscuz
References () https://wordpress.org/plugins/wpdiscuz/ - () https://wordpress.org/plugins/wpdiscuz/ - Product
References () https://wordpress.org/plugins/wpdiscuz/#developers - () https://wordpress.org/plugins/wpdiscuz/#developers - Product, Release Notes
References () https://www.vulncheck.com/advisories/wpdiscuz-before-server-side-shortcode-injection-via-email-notifications - () https://www.vulncheck.com/advisories/wpdiscuz-before-server-side-shortcode-injection-via-email-notifications - Third Party Advisory
Summary
  • (es) wpDiscuz anterior a 7.6.47 contiene una vulnerabilidad de inyección de shortcode que permite a los atacantes ejecutar shortcodes arbitrarios incluyéndolos en el contenido de los comentarios enviados a través de notificaciones por correo electrónico. Los atacantes pueden inyectar shortcodes como [contact-form-7] o [user_meta] en los comentarios, los cuales se ejecutan en el servidor cuando la clase WpdiscuzHelperEmail procesa las notificaciones a través de do_shortcode() antes de wp_mail().

13 Mar 2026, 19:54

Type Values Removed Values Added
New CVE
Information

Published : 2026-03-13 19:54

Updated : 2026-04-22 19:17

NVD link : CVE-2026-22191

Mitre link : CVE-2026-22191

CVE.ORG link : CVE-2026-22191

JSON object : View

Products Affected

gvectors

  • wpdiscuz
CWE
CWE-1336

Improper Neutralization of Special Elements Used in a Template Engine