CVE-2026-34906

Deferred
Published: 02 Jun 2026, 08:31
Last modified:02 Jun 2026, 13:15

Vulnerability Summary

Overall Risk (default)
high
70/100
CVSS Score
9.3 CRITICAL
v4.0 (cve.org)
EPSS Score
0.29% LOW
0% probability
KEV
Not listed
Ransomware
No reports
Public exploits
None found
Dark Web
Not detected

Timeline

02 Jun 2026, 08:31
Published
Vulnerability first disclosed
02 Jun 2026, 13:15
Last Modified
Vulnerability information updated

Description

Server-Side Template Injection (SSTI) in Wirtualna Uczelnia allows an unauthenticated attacker to perform Remote Code Execution (RCE). In the endpoint redirectToUrl and parameter redirectUrlParameter, insufficient input validation permits injection of arbitrary template expressions that are executed on the server. Successful exploitation can allow an attacker to run remote commands, including establishing a reverse shell. This issue affects Wirtualna Uczelnia versions up to wu#2016.437.295#0#20260327_105545

CVSS Metrics

  • v4.0CRITICALScore: 9.3CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:N/VC:H/VI:H/VA:H/SC:L/SI:L/SA:L
  • v4.0CRITICALScore: 9.3CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:N/VC:H/VI:H/VA:H/SC:L/SI:L/SA:L/E:X/CR:X/IR:X/AR:X/MAV:X/MAC:X/MAT:X/MPR:X/MUI:X/MVC:X/MVI:X/MVA:X/MSC:X/MSI:X/MSA:X/S:X/AU:X/R:X/V:X/RE:X/U:X

EPSS Trends

Current EPSS score: 0.29% Percentile: 53%

Techniques & Countermeasures

  • CWE-1336Improper Neutralization of Special Elements Used in a Template Engine

    The product uses a template engine to insert or process externally-influenced input, but it does not neutralize or incorrectly neutralizes special elements or syntax that can be interpreted as template expressions or other code directives when processed by the engine.

Affected Systems

  • simple sawirtualna uczelnia

    ≤ wu#2016.437.295#0#20260327_105545

References (2)