What is GHSA-4pqh-3f6p-63c5?

GHSA-4pqh-3f6p-63c5 is a security advisory published by GitHub Security Advisories with Critical severity. Server-Side Template Injection (SSTI) in Wirtualna Uczelnia allows an unauthenticated attacker to...

Which CVE IDs does GHSA-4pqh-3f6p-63c5 cover?

GHSA-4pqh-3f6p-63c5 covers the following CVE IDs: CVE-2026-34906. Each CVE has its own detail page on EchelonGraph Pulse with the synthesized EG score.

GHSA-4pqh-3f6p-63c5Critical

Server-Side Template Injection (SSTI) in Wirtualna Uczelnia allows an unauthenticated attacker to...

Vendor

GitHub Security Advisories

Published

June 2, 2026

Last Modified

June 2, 2026

🔗 CVE IDs covered (1)

CVE-2026-34906 →

📋 Description

Server-Side Template Injection (SSTI) in Wirtualna Uczelnia allows an unauthenticated attacker to perform Remote Code Execution (RCE). In the endpoint redirectToUrl and parameter redirectUrlParameter, insufficient input validation permits injection of arbitrary template expressions that are executed on the server. Successful exploitation can allow an attacker to run remote commands, including establishing a reverse shell.

This issue affects Wirtualna Uczelnia versions up to wu#2016.437.295#0#20260327_105545

🔗 References (4)

https://nvd.nist.gov/vuln/detail/CVE-2026-34906
https://cert.pl/posts/2026/06/CVE-2026-34906
https://simple.com.pl/branze/edukacyjna
https://github.com/advisories/GHSA-4pqh-3f6p-63c5