CVE-2026-34906 / CVE-2026-34907 — Simple SA "Wirtualna Uczelnia": unauthenticated SSTI-to-RCE in the student-administration platform used across Polish public universities

CERT Polska published a coordinated-disclosure advisory for Wirtualna Uczelnia ("Virtual University"), a proprietary higher-education administration platform by Simple SA deployed across Polish universities (CERT Polska, 2026-06-02). CVE-2026-34906 is a Server-Side Template Injection in the redirectToUrl endpoint: insufficient validation of the redirect-URL parameter lets an unauthenticated attacker inject template expressions that execute on the server, reaching remote code execution (T1190, CWE-1336). CVE-2026-34907 is a companion reflected XSS via the locale parameter. Both affect all versions through build wu#2016.437.295#0#20260327_105545; CERT Polska records the finding from Dawid Bakaj (VIPentest) and no vendor patch or fixed version had been published at disclosure, and no in-the-wild exploitation is reported. As the national CERT and primary disclosing party, CERT Polska is the sole source (national-CERT carve-out, PD-5).

Why it matters to us: a pre-auth RCE in a public-facing student portal is a foothold into university networks and a trove of academic identity data — the EU public-sector education sector the brief tracks. Until Simple SA ships a fix, restrict the redirectToUrl endpoint to internal/authenticated sources at the reverse proxy or WAF, and hunt web-server access logs for template metacharacters (${...}, #{...}, {{...}}) in the redirect parameter.

CVE Summary Table