Severity by source
CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:A/VC:N/VI:N/VA:N/SC:L/SI:L/SA:N/E:X/CR:X/IR:X/AR:X/MAV:X/MAC:X/MAT:X/MPR:X/MUI:X/MVC:X/MVI:X/MVA:X/MSC:X/MSI:X/MSA:X/S:X/AU:X/R:X/V:X/RE:X/U:X
Primary rating from NVD · only source for this CVE.
CVSS VectorNVD
CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:A/VC:N/VI:N/VA:N/SC:L/SI:L/SA:N/E:X/CR:X/IR:X/AR:X/MAV:X/MAC:X/MAT:X/MPR:X/MUI:X/MVC:X/MVI:X/MVA:X/MSC:X/MSI:X/MSA:X/S:X/AU:X/R:X/V:X/RE:X/U:X
Lifecycle Timeline
3DescriptionCVE.org
Wirtualna Uczelnia is vulnerable to Reflected Cross‑Site Scripting (XSS) due to insecure handling of the locale parameter across multiple endpoints. An attacker can craft a malicious URL with JavaScript embedded in the locale parameter and send it to a victim. When the victim opens the link, the injected script will be executed in their browser.
This issue affects Wirtualna Uczelnia versions up to wu#2016.437.295#0#20260327_105545
AnalysisAI
Reflected XSS in Wirtualna Uczelnia (Simple SA) allows unauthenticated remote attackers to execute arbitrary JavaScript in victims' browsers by embedding payloads in the locale parameter across multiple application endpoints. All versions up to wu#2016.437.295#0#20260327_105545 are affected; the flaw was disclosed by CERT-PL and catalogued under ENISA EUVD-2026-33903. No public exploit or CISA KEV listing is confirmed at time of analysis, but the zero-privilege, low-complexity attack vector makes social-engineering-driven exploitation straightforward for any attacker who can induce a victim to click a crafted URL.
Technical ContextAI
Wirtualna Uczelnia is a Polish higher-education management platform developed by Simple SA (CPE: cpe:2.3:a:simple_sa:wirtualna_uczelnia:*:*:*:*:*:*:*:*), deployed at universities for academic administration. The root cause is CWE-79 (Improper Neutralization of Input During Web Page Generation - Cross-Site Scripting): the application reflects the locale parameter, which governs language/localization selection, back into HTTP responses across multiple endpoints without adequate output encoding or input sanitization. Because the parameter value is included verbatim in rendered page content, an attacker-supplied JavaScript fragment is treated as executable code by the victim's browser. The CVSS 4.0 vector confirms AV:N (network-accessible) and AT:N (no attack preconditions), meaning the vulnerable endpoints are reachable over the public internet without any special deployment configuration.
RemediationAI
Upgrade Wirtualna Uczelnia to a version released after wu#2016.437.295#0#20260327_105545; contact Simple SA (https://simple.com.pl/branze/edukacyjna/) to obtain the patched release, as no specific fix version number was provided in the available intelligence. Review the CERT-PL advisory at https://cert.pl/posts/2026/06/CVE-2026-34906 for additional remediation guidance - note this URL references CVE-2026-34906 rather than CVE-2026-34907, which may indicate a related advisory covering both issues or a reference discrepancy that warrants verification with the vendor. If immediate patching is not feasible, deploy a Web Application Firewall rule to strip or reject requests where the locale parameter contains angle brackets, script tags, or JavaScript URI schemes; be aware this control may inadvertently break legitimate localization functionality and should be validated against the application's language-selection behavior. Additionally, enforce Content Security Policy (CSP) headers at the reverse proxy or load balancer level to restrict inline script execution, which mitigates XSS impact even when input sanitization fails.
Same weakness CWE-79 – Cross-site Scripting (XSS)
View allShare
External POC / Exploit Code
Leaving vuln.today
EUVD-2026-33903
GHSA-vxh9-pjmh-2356