CVE-2026-34906
CRITICALServer-Side Template Injection (SSTI) in Wirtualna Uczelnia
Title source: cnaDescription
Server-Side Template Injection (SSTI) in Wirtualna Uczelnia allows an unauthenticated attacker to perform Remote Code Execution (RCE). In the endpoint redirectToUrl and parameter redirectUrlParameter, insufficient input validation permits injection of arbitrary template expressions that are executed on the server. Successful exploitation can allow an attacker to run remote commands, including establishing a reverse shell. This issue affects Wirtualna Uczelnia versions up to wu#2016.437.295#0#20260327_105545
References (2)
Core 2
Core References
Third Party Advisory third-party-advisory
https://cert.pl/posts/2026/06/CVE-2026-34906
Product product
https://simple.com.pl/branze/edukacyjna/
Scores
CVSS v4
9.3
EPSS
0.0093
EPSS Percentile
55.9%
CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:N/VC:H/VI:H/VA:H/SC:L/SI:L/SA:L/E:X/CR:X/IR:X/AR:X/MAV:X/MAC:X/MAT:X/MPR:X/MUI:X/MVC:X/MVI:X/MVA:X/MSC:X/MSI:X/MSA:X/S:X/AU:X/R:X/V:X/RE:X/U:X
CISA SSVC
Vulnrichment
Exploitation
none
Automatable
yes
Technical Impact
total
Details
CWE
CWE-1336
Status
published
Products (1)
Simple SA/Wirtualna Uczelnia
< wu#2016.437.295#0#20260327_105545
Published
Jun 02, 2026
Tracked Since
Jun 02, 2026