Home

Description

Server-Side Template Injection (SSTI) in Wirtualna Uczelnia allows an unauthenticated attacker to perform Remote Code Execution (RCE). In the endpoint redirectToUrl and parameter redirectUrlParameter, insufficient input validation permits injection of arbitrary template expressions that are executed on the server. Successful exploitation can allow an attacker to run remote commands, including establishing a reverse shell. This issue affects Wirtualna Uczelnia versions up to wu#2016.437.295#0#20260327_105545

PUBLISHED Reserved 2026-03-31 | Published 2026-06-02 | Updated 2026-06-02 | Assigner CERT-PL




CRITICAL: 9.3CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:N/VC:H/VI:H/VA:H/SC:L/SI:L/SA:L

Problem types

CWE-1336: Improper Neutralization of Special Elements Used in a Template Engine

Product status

Default status
unaffected

Any version
affected

Credits

Dawid Bakaj - VIPentest finder

References

cert.pl/posts/2026/06/CVE-2026-34906 third-party-advisory

simple.com.pl/branze/edukacyjna/ product

cve.org (CVE-2026-34906)

nvd.nist.gov (CVE-2026-34906)

Download JSON