QSearchQSearch

CVE-2026-34906

Server-Side Template Injection (SSTI) in Wirtualna Uczelnia allows an unauthenticated attacker to perform Remote Code Execution (RCE)

Published: 2026-06-02 · Last updated: 2026-06-02

Severity and scoring

CWE
CWE-1336

Description

Server-Side Template Injection (SSTI) in Wirtualna Uczelnia allows an unauthenticated attacker to perform Remote Code Execution (RCE). In the endpoint redirectToUrl and parameter redirectUrlParameter, insufficient input validation permits injection of arbitrary template expressions that are executed on the server. Successful exploitation can allow an attacker to run remote commands, including establishing a reverse shell. This issue affects Wirtualna Uczelnia versions up to wu#2016.437.295#0#20260327_105545

Source: NVD

References

Related CVEs

Same CWE

  • CVE-2026-41065 Tautulli is a Python based monitoring and tracking tool for Plex Media Server
  • CVE-2026-42252 Apache Airflow's official documentation at `core-concepts/dag-run.html` ("Passing Parameters when triggering Dags") showed a verbatim `Ba... (9.1 CRITICAL)
  • CVE-2026-45697 Formie is a Craft CMS plugin for creating forms (9.8 CRITICAL)
  • CVE-2026-49382 In JetBrains IntelliJ IDEA before 2026.1 code execution was possible via template injection in the Copyright plugin (4.5 MEDIUM)
  • CVE-2026-45312 RAGFlow is an open-source RAG (Retrieval-Augmented Generation) engine (9.9 CRITICAL)