CVE 9.3 CRITICAL

Server-Side Template Injection (SSTI) in Wirtualna Uczelnia_CVE-2026-34906

June 2, 2026 invoker category_cve

9.3 / 10

CRITICAL

CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:N/VC:H/VI:H/VA:H/SC:L/SI:L/SA:L/SC:L/SI:L/SA:L

Description

Server-Side Template Injection (SSTI) in Wirtualna Uczelnia allows an unauthenticated attacker to perform Remote Code Execution (RCE). In the endpoint redirectToUrl and parameter redirectUrlParameter, insufficient input validation permits injection of arbitrary template expressions that are executed on the server. Successful exploitation can allow an attacker to run remote commands, including establishing a reverse shell.

This issue affects Wirtualna Uczelnia versions up to wu#2016.437.295#0#20260327_105545

AI Analysis

Server-Side Template Injection (SSTI) vulnerability in Wirtualna Uczelnia allowing unauthenticated Remote Code Execution (RCE)

Basic Information

ID CVE-2026-34906

Source CERT-PL

Published Jun 2, 2026 at 08:31

Affected Product

Vendor Simple SA

Product Wirtualna Uczelnia

Affected Versions Simple SA Wirtualna Uczelnia 0

CWE Classification

CWE-1336

AI Assessment

AI Score 9.3 / 10

AI Severity Critical

Vendor Simple SA

Product Wirtualna Uczelnia

Version wu#2016.437.295#0#20260327_105545

References

{
    "lastseen": "",
    "description": "Server-Side Template Injection (SSTI) in Wirtualna Uczelnia allows an unauthenticated attacker to perform Remote Code Execution (RCE). In the endpoint redirectToUrl and parameter redirectUrlParameter, insufficient input validation permits injection of arbitrary template expressions that are executed on the server. Successful exploitation can allow an attacker to run remote commands, including establishing a reverse shell.\n\nThis issue affects Wirtualna Uczelnia versions up to\u00a0wu#2016.437.295#0#20260327_105545",
    "published": "2026-06-02T08:31:02.827Z",
    "modified": "2026-06-02T08:31:02.827Z",
    "type": "cve",
    "title": "Server-Side Template Injection (SSTI) in Wirtualna Uczelnia",
    "source": "CERT-PL",
    "references": "https://cert.pl/posts/2026/06/CVE-2026-34906\nhttps://simple.com.pl/branze/edukacyjna/",
    "id": "CVE-2026-34906",
    "bulletinFamily": "",
    "cwe": [
        "CWE-1336"
    ],
    "cvelist": null,
    "sourceData": "Simple SA Wirtualna Uczelnia 0",
    "sourceHref": "",
    "cvss": {
        "score": 9.3,
        "severity": "CRITICAL",
        "vector": "CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:N/VC:H/VI:H/VA:H/SC:L/SI:L/SA:L/SC:L/SI:L/SA:L",
        "version": "4.0"
    },
    "cvss2": [],
    "cvss3": {
        "version": "",
        "vectorString": "",
        "baseScore": 0,
        "baseSeverity": "",
        "attackVector": "",
        "attackComplexity": "",
        "privilegesRequired": "",
        "userInteraction": "",
        "scope": "",
        "confidentialityImpact": "",
        "integrityImpact": "",
        "availabilityImpact": "",
        "cvssV3": {
            "version": "",
            "vectorString": "",
            "baseScore": 0,
            "baseSeverity": "",
            "attackVector": "",
            "attackComplexity": "",
            "privilegesRequired": "",
            "userInteraction": "",
            "scope": "",
            "confidentialityImpact": "",
            "integrityImpact": "",
            "availabilityImpact": ""
        }
    },
    "href": "",
    "category_name": "CVE",
    "post_link": "",
    "product": "Wirtualna Uczelnia",
    "version": "0",
    "vendor": "Simple SA",
    "ai_description": "Server-Side Template Injection (SSTI) vulnerability in Wirtualna Uczelnia allowing unauthenticated Remote Code Execution (RCE)",
    "ai_severity": "Critical",
    "ai_vendor": "Simple SA",
    "ai_product": "Wirtualna Uczelnia",
    "ai_version": "wu#2016.437.295#0#20260327_105545",
    "ai_score": 9.3
}

💭 Join the Security Discussion ❌ Cancel Reply