| CVE ID | CVE-2026-34906 |
| Publication date | 02 June 2026 |
| Vendor | Simple SA |
| Product | Wirtualna Uczelnia |
| Vulnerable versions | All through wu#2016.437.295#0#20260327_105545 |
| Vulnerability type (CWE) | Improper Neutralization of Special Elements Used in a Template Engine (CWE-1336) |
| Report source | Report to CERT Polska |
| CVE ID | CVE-2026-34907 |
| Publication date | 02 June 2026 |
| Vendor | Simple SA |
| Product | Wirtualna Uczelnia |
| Vulnerable versions | All through wu#2016.437.295#0#20260327_105545 |
| Vulnerability type (CWE) | Improper Neutralization of Input During Web Page Generation (XSS or 'Cross-site Scripting') (CWE-79) |
| Report source | Report to CERT Polska |
Description
CERT Polska has received a report about vulnerabilities in Wirtualna Uczelnia software and participated in coordination of their disclosure.
The vulnerability CVE-2026-34906: Server-Side Template Injection (SSTI) in Wirtualna Uczelnia allows an unauthenticated attacker to perform Remote Code Execution (RCE). In the endpoint redirectToUrl and parameter redirectUrlParameter, insufficient input validation permits injection of arbitrary template expressions that are executed on the server. Successful exploitation can allow an attacker to run remote commands, including establishing a reverse shell.
The vulnerability CVE-2026-34907: Wirtualna Uczelnia is vulnerable to Reflected Cross‑Site Scripting (XSS) due to insecure handling of the locale parameter across multiple endpoints. An attacker can craft a malicious URL with JavaScript embedded in the locale parameter and send it to a victim. When the victim opens the link, the injected script will be executed in their browser.
These issues affect Wirtualna Uczelnia versions up to wu#2016.437.295#0#20260327_105545
Credits
We thank Dawid Bakaj - VIPentest for the responsible vulnerability report.
More about the coordinated vulnerability disclosure process at CERT Polska can be found at https://cert.pl/en/cvd/.