CVE-2026-34906
Received Received - Intake
Server-Side Template Injection in Wirtualna Uczelnia Leads to RCE

Publication date: 2026-06-02

Last updated on: 2026-06-02

Assigner: CERT.PL

Description
Server-Side Template Injection (SSTI) in Wirtualna Uczelnia allows an unauthenticated attacker to perform Remote Code Execution (RCE). In the endpoint redirectToUrl and parameter redirectUrlParameter, insufficient input validation permits injection of arbitrary template expressions that are executed on the server. Successful exploitation can allow an attacker to run remote commands, including establishing a reverse shell. This issue affects Wirtualna Uczelnia versions up to wu#2016.437.295#0#20260327_105545
CVSS Scores
EPSS Scores
Probability:
Percentile:
Meta Information
Published
2026-06-02
Last Modified
2026-06-02
Generated
2026-06-02
AI Q&A
2026-06-02
EPSS Evaluated
N/A
NVD
CVE-2026-34906
EUVD
EUVD-2026-33902
Affected Vendors & Products
Showing 1 associated CPE
Vendor Product Version / Range
wirtualna_uczelnia wirtualna_uczelnia to wu#2016.437.295#0#20260327_105545 (inc)
Helpful Resources
Exploitability
CWE
CWE Icon
KEV
KEV Icon
CWE ID Description
CWE-1336 The product uses a template engine to insert or process externally-influenced input, but it does not neutralize or incorrectly neutralizes special elements or syntax that can be interpreted as template expressions or other code directives when processed by the engine.
Attack-Flow Graph
AI Powered Q&A
How does this vulnerability affect compliance with common standards and regulations (like GDPR, HIPAA)?:

The vulnerability allows an unauthenticated attacker to perform Remote Code Execution on the affected system, potentially leading to unauthorized access to sensitive data or system control.

Such unauthorized access and potential data breaches could negatively impact compliance with data protection regulations like GDPR or HIPAA, which require safeguarding personal and sensitive information against unauthorized access.

However, the provided context and resources do not explicitly discuss the impact of this vulnerability on compliance with specific standards or regulations.


Can you explain this vulnerability to me?

This vulnerability is a Server-Side Template Injection (SSTI) in Wirtualna Uczelnia. It allows an unauthenticated attacker to perform Remote Code Execution (RCE) by injecting arbitrary template expressions into the redirectToUrl endpoint and the redirectUrlParameter parameter. These injected expressions are executed on the server, enabling the attacker to run remote commands, including establishing a reverse shell.


How can this vulnerability impact me? :

The impact of this vulnerability is severe as it allows an attacker to execute arbitrary code on the server without authentication. This can lead to full system compromise, unauthorized access to sensitive data, disruption of services, and the attacker gaining control over the affected system, including the ability to establish a reverse shell.


Ask Our AI Assistant
Need more information? Ask your question to get an AI reply (Powered by our expertise)
0/70
EPSS Chart