EUVD-2026-33902
GHSA-4pqh-3f6p-63c5
CVSS VectorNVD
CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:N/VC:H/VI:H/VA:H/SC:L/SI:L/SA:L/E:X/CR:X/IR:X/AR:X/MAV:X/MAC:X/MAT:X/MPR:X/MUI:X/MVC:X/MVI:X/MVA:X/MSC:X/MSI:X/MSA:X/S:X/AU:X/R:X/V:X/RE:X/U:X
Lifecycle Timeline
3DescriptionNVD
Server-Side Template Injection (SSTI) in Wirtualna Uczelnia allows an unauthenticated attacker to perform Remote Code Execution (RCE). In the endpoint redirectToUrl and parameter redirectUrlParameter, insufficient input validation permits injection of arbitrary template expressions that are executed on the server. Successful exploitation can allow an attacker to run remote commands, including establishing a reverse shell.
This issue affects Wirtualna Uczelnia versions up to wu#2016.437.295#0#20260327_105545
AnalysisAI
Remote code execution in Wirtualna Uczelnia (versions up to wu#2016.437.295#0#20260327_105545) allows unauthenticated network attackers to execute arbitrary commands via Server-Side Template Injection in the redirectToUrl endpoint's redirectUrlParameter. The CVSS 4.0 base score of 9.3 reflects no authentication, no user interaction, and high impact across confidentiality, integrity, and availability; no public exploit identified at time of analysis, and the issue is not listed in CISA KEV. …
Unlock full vulnerability intelligence
- Risk assessment & exploitation conditions
- Attack chain visualization
- Remediation with exact patch versions
- Threat intelligence from 22 sources
- Personal watchlist & email alerts
Free forever · No credit card required
Attack ChainAIDerived
Hypothetical attack flow derived from CVE metadata
Vulnerability AssessmentAI
| Exploitation | No special conditions beyond network reachability - the affected redirectToUrl endpoint with the redirectUrlParameter must be accessible to the attacker, and the application must be running a vulnerable build at or below wu#2016.437.295#0#20260327_105545. … Additional conditions and limiting factors are described in the full assessment. |
| Risk Assessment | Signals are strongly aligned toward high real-world risk: CVSS 4.0 vector AV:N/AC:L/AT:N/PR:N/UI:N with VC:H/VI:H/VA:H indicates network-reachable, low-complexity, unauthenticated exploitation yielding full system compromise. … Full risk analysis with EPSS, KEV, and SSVC signal comparison available after sign-in. |
| Exploit Scenario | An unauthenticated attacker discovers an internet-exposed Wirtualna Uczelnia instance via Shodan/Censys fingerprinting, then sends a single HTTP request to the redirectToUrl endpoint with redirectUrlParameter set to a template-engine payload (e.g., a server-side expression invoking Runtime.exec or equivalent). The template engine evaluates the payload server-side, spawning a reverse shell back to attacker infrastructure that grants persistent foothold on the application server with access to the academic database and student records. |
| Remediation | Patch status: patch availability is not explicitly stated in the provided data; the CERT-PL advisory at https://cert.pl/posts/2026/06/CVE-2026-34906 should be consulted for the fixed build identifier, and customers should contact Simple S.A. … Detailed patch versions, workarounds, and compensating controls in full report. |
Recommended ActionAI
Within 24 hours: Identify all Wirtualna Uczelnia instances in production (affected versions through wu#2016.437.295#0#20260327_105545) and assess network exposure; disconnect affected systems from untrusted networks where operationally feasible. …
Sign in for detailed remediation steps and compensating controls.
Threat intelligence, references, and detailed analysis are available after sign-in.
More from same product – last 7 days
Remote code execution in Tautulli versions prior to 2.17.1 allows attackers to achieve unauthenticated RCE on fresh inst
Server-side template injection in Jupyter Enterprise Gateway versions 2.0.0rc2 through 3.2.x allows remote attackers to
Share
External POC / Exploit Code
Leaving vuln.today