How is CVE-2026-34906 exploited?

Network reachability (required): The vulnerable endpoint is exposed over the network, so the attacker must be able to reach the service via HTTP/HTTPS from a remote host. Authentication (not-required): No credentials of any privilege level are required; the injection point is accessible to anonymous requests. Victim interaction (not-required): The attacker sends a crafted request directly to the server; no user action or social-engineering step is needed. Attack complexity (info): Exploitation is reliable and condition-free, with no race conditions or special environmental factors required to trigger template evaluation.

What is the impact of CVE-2026-34906?

Attacker executes arbitrary operating-system commands on the server hosting Wirtualna Uczelnia, including spawning a reverse shell for persistent access. All data readable by the server process is exposed, including academic records, user credentials, and session tokens stored on or accessible from the host. Attacker can write, modify, or delete files and database records accessible to the server process, corrupting application data and configurations. Service availability is at the attacker's discretion; they can terminate processes, exhaust resources, or deploy ransomware, taking the application fully offline.

Back to search

CRITICALCVE-2026-34906Published 2026-06-02Modified 2026-06-02CNA CERT-PL

CVE-2026-34906: Server-Side Template Injection (SSTI) in Wirtualna Uczelnia

Server-Side Template Injection (SSTI) in Wirtualna Uczelnia allows an unauthenticated attacker to perform Remote Code Execution (RCE). In the endpoint redirectToUrl and parameter redirectUrlParameter, insufficient input validation permits injection of arbitrary template expressions that are executed on the server. Successful exploitation can allow an attacker to run remote commands, including establishing a reverse shell. This issue affects Wirtualna Uczelnia versions up to wu#2016.437.295#0#20260327_105545

CVSS v4.0: 9.3
Severity: CRITICAL
Fixed in: —
Affected Products: 1

HarborGuard Analysis

Synopsis

Server-Side Template Injection (SSTI) in Wirtualna Uczelnia (developed by Simple SA) allows an unauthenticated remote attacker to inject arbitrary template expressions into the redirectToUrl endpoint, which the server evaluates without restriction. The vulnerability is reachable over the network with no credentials required and no victim interaction needed. Successful exploitation gives the attacker full remote code execution on the server, including the ability to establish a reverse shell. No fix version has been published; HarborGuard tracks this advisory and will make a patched-image rebuild available as soon as an upstream fix is released.

HarborGuard Coverage

Detection

Detection capability for CVE-2026-34906 is available across every HarborGuard environment, with the CVE matched against customer images within minutes of ingestion from upstream advisory feeds, including CERT-PL. Coverage extends to custom-built images that bundle Wirtualna Uczelnia at any version at or below wu#2016.437.295#0#20260327_105545.

Available

Triage

HarborGuard scores this CVE at CVSS 9.3 (Critical, v4.0) and surfaces it accordingly in each customer org's vulnerability queue, weighted against the applicable compliance policy for that environment. Routing rules direct the finding to the team or inbox configured for critical-severity issues within each organization.

Available

Patch

Because no upstream fix version has been published, HarborGuard re-evaluates this advisory on every ingest cycle and will make a patched-image rebuild available the moment Simple SA releases a remediated version. In the meantime, customers can apply compensating controls through HarborGuard's network-policy isolation and egress-filtering recommendations surfaced on this finding.

Pending upstream

Exploit Conditions

Network reachabilityRequired
The vulnerable endpoint is exposed over the network, so the attacker must be able to reach the service via HTTP/HTTPS from a remote host.
AuthenticationNot required
No credentials of any privilege level are required; the injection point is accessible to anonymous requests.
Victim interactionNot required
The attacker sends a crafted request directly to the server; no user action or social-engineering step is needed.
Attack complexityDetail
Exploitation is reliable and condition-free, with no race conditions or special environmental factors required to trigger template evaluation.

Blast Radius

Attacker executes arbitrary operating-system commands on the server hosting Wirtualna Uczelnia, including spawning a reverse shell for persistent access.
All data readable by the server process is exposed, including academic records, user credentials, and session tokens stored on or accessible from the host.
Attacker can write, modify, or delete files and database records accessible to the server process, corrupting application data and configurations.
Service availability is at the attacker's discretion; they can terminate processes, exhaust resources, or deploy ransomware, taking the application fully offline.

How HarborGuard Handles This

Available on HarborGuard: because no upstream patch exists for this critical-severity SSTI, HarborGuard continuously re-checks the CERT-PL advisory on every ingest cycle and will trigger a patched-image rebuild automatically the moment Simple SA publishes a fix version. Until then, HarborGuard surfaces this finding as a critical blocker in each affected environment's queue. Compensating controls available through HarborGuard include network-policy isolation recommendations to restrict inbound access to the Wirtualna Uczelnia service to known IP ranges, egress-filtering rules to prevent outbound reverse-shell connections from the container, and feature-flag or deployment-gate options to block promotion of images carrying this CVE into production. For customers who opt into auto-remediation, the rebuild, regression-test run, and PR against affected workloads will be initiated automatically once a fix version is available, with no manual intervention required.

See how HarborGuard automates this

Affected packages

Simple SA / Wirtualna Uczelnia
≤ wu#2016.437.295#0#20260327_105545

CVSS Vector

CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:N/VC:H/VI:H/VA:H/SC:L/SI:L/SA:L

References

Metrics

Get notified