CVE-2026-34906

Published: Giu 02, 2026 Last Modified: Giu 02, 2026

ExploitDB:

Other exploit source:

Google Dorks:

CRITICAL 9,3

Source: [email protected]

Attack Vector: network

Attack Complexity: low

Privileges Required: none

User Interaction: none

Confidentiality: N/A

Integrity: N/A

Availability: N/A

Description

AI Translation Available

Server-Side Template Injection (SSTI) in Wirtualna Uczelnia allows an unauthenticated attacker to perform Remote Code Execution (RCE). In the endpoint redirectToUrl and parameter redirectUrlParameter, insufficient input validation permits injection of arbitrary template expressions that are executed on the server. Successful exploitation can allow an attacker to run remote commands, including establishing a reverse shell.

This issue affects Wirtualna Uczelnia versions up to wu#2016.437.295#0#20260327_105545

1336

Improper Neutralization of Special Elements Used in a Template Engine

Incomplete

Abstraction: Base Structure: Simple

Common Consequences

Security Scopes Affected:

Integrity

Potential Impacts:

Execute Unauthorized Code Or Commands

Applicable Platforms

Languages: Java, PHP, Python, JavaScript, Interpreted

Technologies: Not Technology-Specific, AI/ML, Client Server

View CWE Details

https://cert.pl/posts/2026/06/CVE-2026-34906

https://simple.com.pl/branze/edukacyjna/

CVE-2026-34906

Description

Improper Neutralization of Special Elements Used in a Template Engine

Common Consequences

Applicable Platforms

Iscriviti alla newsletter