Skip to main content

Wirtualna Uczelnia EUVDEUVD-2026-33903

| CVE-2026-34907 MEDIUM
Cross-site Scripting (XSS) (CWE-79)
2026-06-02 CERT-PL GHSA-vxh9-pjmh-2356
5.1
CVSS 4.0 · NVD
Share

Severity by source

NVD PRIMARY
5.1 MEDIUM
CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:A/VC:N/VI:N/VA:N/SC:L/SI:L/SA:N/E:X/CR:X/IR:X/AR:X/MAV:X/MAC:X/MAT:X/MPR:X/MUI:X/MVC:X/MVI:X/MVA:X/MSC:X/MSI:X/MSA:X/S:X/AU:X/R:X/V:X/RE:X/U:X

Primary rating from NVD · only source for this CVE.

CVSS VectorNVD

CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:A/VC:N/VI:N/VA:N/SC:L/SI:L/SA:N/E:X/CR:X/IR:X/AR:X/MAV:X/MAC:X/MAT:X/MPR:X/MUI:X/MVC:X/MVI:X/MVA:X/MSC:X/MSI:X/MSA:X/S:X/AU:X/R:X/V:X/RE:X/U:X
Attack Vector
Network
Attack Complexity
Low
Privileges Required
None
User Interaction
A
Scope
X

Lifecycle Timeline

3
Analysis Generated
Jun 02, 2026 - 12:21 vuln.today
CVSS changed
Jun 02, 2026 - 10:22 NVD
5.1 (MEDIUM)
CVE Published
Jun 02, 2026 - 08:31 nvd
UNKNOWN (no severity yet)

DescriptionCVE.org

Wirtualna Uczelnia is vulnerable to Reflected Cross‑Site Scripting (XSS) due to insecure handling of the locale parameter across multiple endpoints. An attacker can craft a malicious URL with JavaScript embedded in the locale parameter and send it to a victim. When the victim opens the link, the injected script will be executed in their browser.

This issue affects Wirtualna Uczelnia versions up to wu#2016.437.295#0#20260327_105545

AnalysisAI

Reflected XSS in Wirtualna Uczelnia (Simple SA) allows unauthenticated remote attackers to execute arbitrary JavaScript in victims' browsers by embedding payloads in the locale parameter across multiple application endpoints. All versions up to wu#2016.437.295#0#20260327_105545 are affected; the flaw was disclosed by CERT-PL and catalogued under ENISA EUVD-2026-33903. No public exploit or CISA KEV listing is confirmed at time of analysis, but the zero-privilege, low-complexity attack vector makes social-engineering-driven exploitation straightforward for any attacker who can induce a victim to click a crafted URL.

Technical ContextAI

Wirtualna Uczelnia is a Polish higher-education management platform developed by Simple SA (CPE: cpe:2.3:a:simple_sa:wirtualna_uczelnia:*:*:*:*:*:*:*:*), deployed at universities for academic administration. The root cause is CWE-79 (Improper Neutralization of Input During Web Page Generation - Cross-Site Scripting): the application reflects the locale parameter, which governs language/localization selection, back into HTTP responses across multiple endpoints without adequate output encoding or input sanitization. Because the parameter value is included verbatim in rendered page content, an attacker-supplied JavaScript fragment is treated as executable code by the victim's browser. The CVSS 4.0 vector confirms AV:N (network-accessible) and AT:N (no attack preconditions), meaning the vulnerable endpoints are reachable over the public internet without any special deployment configuration.

RemediationAI

Upgrade Wirtualna Uczelnia to a version released after wu#2016.437.295#0#20260327_105545; contact Simple SA (https://simple.com.pl/branze/edukacyjna/) to obtain the patched release, as no specific fix version number was provided in the available intelligence. Review the CERT-PL advisory at https://cert.pl/posts/2026/06/CVE-2026-34906 for additional remediation guidance - note this URL references CVE-2026-34906 rather than CVE-2026-34907, which may indicate a related advisory covering both issues or a reference discrepancy that warrants verification with the vendor. If immediate patching is not feasible, deploy a Web Application Firewall rule to strip or reject requests where the locale parameter contains angle brackets, script tags, or JavaScript URI schemes; be aware this control may inadvertently break legitimate localization functionality and should be validated against the application's language-selection behavior. Additionally, enforce Content Security Policy (CSP) headers at the reverse proxy or load balancer level to restrict inline script execution, which mitigates XSS impact even when input sanitization fails.

Share

EUVD-2026-33903 vulnerability details – vuln.today

This site uses cookies essential for authentication and security. No tracking or analytics cookies are used. Privacy Policy