CVE-2026-34906 · Server-Side Template Injection (SSTI) in Wirtualna Uczelnia

01 · The Real Story

This is a lobby intercom wired straight to the server room door release

CERT Polska says Simple SA Wirtualna Uczelnia contains a Server-Side Template Injection in the redirectToUrl endpoint via the redirectUrlParameter parameter, allowing an unauthenticated attacker to get remote code execution, including a reverse shell. The advisory states all versions up to and including wu#2016.437.295#0#20260327_105545 are affected; the same notice also ties the flaw to CWE-1336 and dates disclosure to 2026-06-02.

There is no official vendor or authority CVSS baseline here, so this is a first-pass field assessment. In practice this behaves like a near-critical bug because it is pre-auth network RCE on a web app meant for student self-service, but it stays at HIGH instead of CRITICAL because the exposed population is comparatively niche, we found no KEV listing, no public PoC, and no public mass-exploitation telemetry as of 2026-06-02.

"Pre-auth SSTI to RCE on an internet-facing student portal is bad; niche deployment and no exploit evidence keep it at HIGH."

02 · The Attack Path

4 steps from start to impact.

STEP 01

Find a reachable Wirtualna Uczelnia portal

An attacker identifies an exposed portal by targeting university/student-facing instances of Wirtualna Uczelnia, typically through normal web reconnaissance with tools like httpx, nuclei, or simple search-engine dorking. Because Wirtualna Uczelnia is an online academic portal, many legitimate deployments are designed for external reachability rather than internal-only use.

Conditions required:

A Wirtualna Uczelnia instance is internet-reachable
The instance runs a vulnerable build at or below wu#2016.437.295#0#20260327_105545
The attacker can reach the web tier over HTTP/HTTPS

Where this breaks in practice:

The product is much less common than Exchange, Citrix, or mainstream VPN appliances
No strong public fingerprint or large-scale census result was independently verified during this review
Some universities may place access behind VPN, allowlists, or upstream access brokers

Detection/coverage: Shodan/Censys-style exposure counting was not independently verified for this product. Expect weak off-the-shelf scanner coverage and rely on internal asset inventory plus custom web fingerprinting.

STEP 02

Trigger SSTI in redirectToUrl

The attacker sends a crafted request to the redirectToUrl endpoint and injects template expressions into redirectUrlParameter using curl or Burp Suite. CERT Polska states insufficient input validation lets arbitrary expressions execute server-side, which removes the need for credential theft or a user click.

Conditions required:

The vulnerable endpoint is exposed and reachable
The backend template/expression path remains enabled in the deployed app
No upstream control blocks the payload before it reaches the app

Where this breaks in practice:

A WAF or reverse proxy may block obvious template metacharacters or known payload patterns
Input normalization, URL rewriting, or app-specific validation can make payload shaping less trivial than a copy-paste exploit
If the endpoint is only reachable through campus SSO plumbing or internal routing, exploitation surface drops sharply

Detection/coverage: No vendor-authored scanner, NASL, or verified public nuclei template was found during this review. Custom HTTP checks against redirectToUrl are the realistic path.

STEP 03

Convert expression evaluation into code execution

Once expression evaluation is achieved, the attacker uses the template engine's execution primitives to spawn commands and typically graduates to a reverse shell with bash, sh, or platform-native process launchers. CERT Polska explicitly notes the impact can include remote command execution and reverse-shell establishment.

Conditions required:

The evaluated expression context exposes dangerous classes/functions or command execution paths
The application server account can spawn child processes
The host's OS and runtime permit process execution

Where this breaks in practice:

Java security hardening, container sandboxing, SELinux/AppArmor, or restricted runtime policies can limit full shell quality
Application pool identities may have limited filesystem or network rights
EDR often catches the post-exploitation stage even when the initial bug lands

Detection/coverage: EDR should have the best chance here: child-process creation from the app server, shell spawning from Java/web worker processes, and suspicious command interpreters are high-signal behaviors.

STEP 04

Loot data and pivot from the app host

With code execution, the attacker can steal app secrets, dump configuration, harvest database credentials, access student/staff records reachable by the application, and pivot into adjacent systems. Even if the portal host itself is not crown-jewel infrastructure, it is a trusted university business app with a useful identity and data position.

Conditions required:

The compromised app host can reach backing databases or internal services
Secrets are stored locally or in accessible config stores
Network egress allows further command-and-control or lateral movement

Where this breaks in practice:

Well-segmented app tiers and secret managers can blunt blast radius
Outbound filtering can kill easy reverse shells and commodity post-exploitation
Mature monitoring can flag abnormal DB reads, vault access, or east-west traffic from the portal

Detection/coverage: Look for new outbound connections from the app tier, unusual reads of config/secrets, web server process spawning shells, and database access patterns inconsistent with normal student portal workflows.

03 · Intelligence Metadata

The supporting signals.

In-the-wild status	No public evidence of active exploitation found during this review. Not listed in CISA KEV as of 2026-06-02.
Proof-of-concept availability	No public PoC located in primary-source review. That lowers attacker convenience, but not the underlying impact because the advisory gives the vulnerable endpoint and parameter names.
EPSS	User-supplied EPSS is 0.00289 (0.289% probability over 30 days). Percentile was not independently verified from FIRST during this review.
KEV status	No — absent from the CISA Known Exploited Vulnerabilities Catalog as reviewed on 2026-06-02.
Official scoring	No official vendor/authority CVSS published. This assessment is therefore = ASSESSED AT HIGH rather than upgraded or downgraded.
Affected versions	CERT Polska lists all versions up to and including `wu#2016.437.295#0#20260327_105545` as affected.
Fixed versions	The advisory does not name the first fixed build. Safest interpretation: deploy a build newer than `wu#2016.437.295#0#20260327_105545` and verify with the vendor.
Exposure reality	Vendor material describes Wirtualna Uczelnia as an online module for students, lecturers, and administration, which implies many real deployments are intentionally internet-accessible. Public scan counts/fingerprints were not independently verified, so broad internet prevalence remains medium-confidence inference.
Disclosure date	2026-06-02 via CERT Polska coordinated disclosure.
Researcher / reporting org	Reported to CERT Polska; credit given to Dawid Bakaj - VIPentest. Historical context matters: the same product and same `redirectToUrl` area previously had a 2025 pre-auth RCE issue, which suggests fragile input-handling around this code path.

04 · The Call

noisgate verdict.

Final Verdict

= UNCHANGED to HIGH (8.8/10)

This lands in HIGH because it is unauthenticated remote code execution on a web application that is plausibly internet-facing by design. It stops short of CRITICAL because the product's exposed population is comparatively narrow and there is no current KEV, public PoC, or public mass-exploitation evidence showing attackers are already operationalizing it at scale.

HIGH Vulnerability mechanics and impact from CERT Polska advisory

MEDIUM Internet exposure assumptions for real-world deployments

LOW Public exploitation and scanning telemetry coverage for this specific CVE

Why this verdict

Starts near critical: pre-auth, network-reachable SSTI that CERT Polska says can become full RCE including a reverse shell.
Adjusted down for population: this is not a ubiquitous edge product; it is a higher-education portal with a meaningfully smaller reachable population than mainstream VPNs, firewalls, mail gateways, or hypervisors.
Adjusted down for threat evidence: as of 2026-06-02 there is no KEV entry, no public PoC, and no independently verified mass-scanning telemetry, so urgency is driven by exploitability and impact, not by observed attacker momentum.

Why not higher?

If this were a mass-deployed edge product with confirmed exploitation or even a public one-click PoC, the same pre-auth RCE mechanics would justify CRITICAL. The limiting factor is not the bug's power; it is the narrower exposure base and the absence of strong real-world exploitation signals today.

Why not lower?

Dropping this to MEDIUM would ignore the main fact pattern: unauthenticated server-side code execution on a web endpoint. Even for a niche product, pre-auth RCE on an externally reachable business application is an enterprise-grade incident path, not routine backlog material.

05 · Compensating Control

What to do — in priority order.

Block direct access to vulnerable portals — Put Wirtualna Uczelnia behind VPN, IP allowlists, or an authenticated access proxy within 30 days. This is the highest-value exposure reduction because it removes the unauthenticated internet attacker position that makes this flaw dangerous.
Create a WAF rule for redirectToUrl abuse — Deploy request filtering for the redirectToUrl endpoint and aggressively inspect redirectUrlParameter for template-expression metacharacters and obvious command-execution payloads within 30 days. This will not be perfect, but it can cut commodity exploitation and buy patching time.
Constrain egress from app servers — Restrict outbound traffic from the application tier to only required destinations within 30 days. That directly frustrates reverse shells, second-stage payload retrieval, and low-effort C2 even if initial code execution succeeds.
Tune EDR for web-to-shell behavior — Add high-priority detections for web server or Java worker processes spawning cmd, powershell, sh, bash, curl, wget, nc, or scripting interpreters within 30 days. This is the control most likely to catch the post-exploitation stage when prevention fails.
Hunt for redirectToUrl anomalies — Review access logs and WAF/proxy telemetry for unusual requests to redirectToUrl, oversized or encoded redirectUrlParameter values, and follow-on shell/network behaviors within 30 days. The endpoint name is known, which gives defenders a focused hunt surface.

What doesn't work

MFA on user accounts does not stop this because exploitation is pre-auth.
Password resets or SSO hardening alone do not address server-side expression execution in redirectUrlParameter.
Relying only on perimeter AV signatures is weak here; the decisive control points are request filtering, exposure reduction, and post-exploitation process telemetry.

06 · Verification

Crowdsourced verification payload.

Run this from an auditor workstation with Python 3, or from the target host if that is easier. Invoke it as python3 verify_wu_cve_2026_34906.py --url https://portal.example.edu/ to try passive version extraction from HTTP responses, or python3 verify_wu_cve_2026_34906.py --version 'wu#2016.437.295#0#20260327_105545' if you already know the deployed build; no admin privileges are required.

noisgate-verify.py

PYTHONREAD-ONLYSAFE

#!/usr/bin/env python3
# verify_wu_cve_2026_34906.py
# Passive verifier for CVE-2026-34906 (Wirtualna Uczelnia SSTI)
# Exit codes:
#   0 = PATCHED
#   1 = VULNERABLE
#   2 = UNKNOWN / error

import argparse
import re
import sys
from urllib.request import Request, urlopen
from urllib.error import URLError, HTTPError

AFFECTED_MAX = "wu#2016.437.295#0#20260327_105545"
VERSION_RE = re.compile(r"wu#\d+(?:\.\d+)*#\d+#\d{8}_\d{6}", re.IGNORECASE)


def parse_version(v):
    """Convert version string like wu#2016.437.295#0#20260327_105545 to a sortable tuple."""
    m = VERSION_RE.fullmatch(v.strip())
    if not m:
        return None
    try:
        body = v.strip()[3:]  # remove 'wu#'
        part1, part2, part3 = body.split('#')
        nums1 = tuple(int(x) for x in part1.split('.'))
        nums2 = (int(part2),)
        date_s, time_s = part3.split('_')
        nums3 = (int(date_s), int(time_s))
        return nums1 + nums2 + nums3
    except Exception:
        return None


def compare_versions(found, affected_max=AFFECTED_MAX):
    pf = parse_version(found)
    pa = parse_version(affected_max)
    if pf is None or pa is None:
        return None
    max_len = max(len(pf), len(pa))
    pf = pf + (0,) * (max_len - len(pf))
    pa = pa + (0,) * (max_len - len(pa))
    if pf <= pa:
        return "VULNERABLE"
    return "PATCHED"


def fetch_url(url):
    req = Request(url, headers={"User-Agent": "noisgate-verifier/1.0"})
    with urlopen(req, timeout=10) as resp:
        body = resp.read(1024 * 1024).decode("utf-8", errors="ignore")
        headers = "\n".join(f"{k}: {v}" for k, v in resp.getheaders())
    return headers + "\n" + body


def extract_version(text):
    m = VERSION_RE.search(text)
    return m.group(0) if m else None


def main():
    parser = argparse.ArgumentParser(description="Passive verifier for CVE-2026-34906")
    parser.add_argument("--url", help="Base URL of Wirtualna Uczelnia portal, e.g. https://portal.example.edu/")
    parser.add_argument("--version", help="Known installed version string, e.g. wu#2016.437.295#0#20260327_105545")
    args = parser.parse_args()

    if not args.url and not args.version:
        print("UNKNOWN - supply --url or --version")
        sys.exit(2)

    found_version = None

    if args.version:
        found_version = args.version.strip()
    elif args.url:
        candidates = [args.url.rstrip('/'), args.url.rstrip('/') + '/', args.url.rstrip('/') + '/login']
        last_err = None
        for u in candidates:
            try:
                text = fetch_url(u)
                found_version = extract_version(text)
                if found_version:
                    break
            except (HTTPError, URLError, TimeoutError, ValueError) as e:
                last_err = e
                continue
        if not found_version and last_err:
            print(f"UNKNOWN - could not extract version from URL ({last_err})")
            sys.exit(2)

    if not found_version:
        print("UNKNOWN - no version string found; verify locally with application inventory or vendor package metadata")
        sys.exit(2)

    result = compare_versions(found_version)
    if result is None:
        print(f"UNKNOWN - unparseable version string: {found_version}")
        sys.exit(2)

    print(f"{result} - detected version {found_version}; affected if <= {AFFECTED_MAX}")
    if result == "VULNERABLE":
        sys.exit(1)
    sys.exit(0)


if __name__ == "__main__":
    main()

07 · Bottom Line

If you remember one thing.

TL;DR

Monday morning: identify every exposed Wirtualna Uczelnia instance, verify whether it is at or below wu#2016.437.295#0#20260327_105545, and remove direct internet reachability or add tight compensating controls on any unpatched instance within 30 days under the noisgate mitigation SLA. Then move every affected deployment to a vendor-confirmed fixed build newer than that vulnerable version within 180 days under the noisgate remediation SLA; this is a HIGH because it is pre-auth RCE, so do not leave ownership ambiguous or let it drift into normal backlog hygiene.

Sources

Peer Review

What defenders are saying.

Submit a review attribution: handle + country only

0 flags selected · stored anonymously

Validation Results

Crowdsourced verification outputs.

Results submitted by users who ran the verification payload against their environment.