Description
Wirtualna Uczelnia is vulnerable to Reflected Cross‑Site Scripting (XSS) due to insecure handling of the locale parameter across multiple endpoints. An attacker can craft a malicious URL with JavaScript embedded in the locale parameter and send it to a victim. When the victim opens the link, the injected script will be executed in their browser.


This issue affects Wirtualna Uczelnia versions up to wu#2016.437.295#0#20260327_105545
Published: 2026-06-02
Score: 5.1 Medium
EPSS: < 1% Very Low
KEV: No
Impact: n/a
Action: n/a
AI Analysis

Impact

Wirtualna Uczelnia suffers from a reflected cross‑site scripting flaw caused by improper handling of the locale parameter on several endpoints. An attacker can embed a malicious script in the locale value, which the application reflects unescaped back to the victim’s browser. When the victim opens the crafted URL, the injected JavaScript runs in the victim’s context, potentially allowing data theft, session hijacking, or the delivery of further malicious payloads.

Affected Systems

The vulnerability affects the Simple SA Wirtualna Uczelnia product, specifically all releases up to and including wu#2016.437.295#0#20260327_105545. No newer versions are indicated in the data.

Risk and Exploitability

The CVSS score of 5.1 denotes a medium severity, and the entry is not listed in the CISA KEV catalog. EPSS data is not available, implying no recent exploitation reports. The most likely attack vector is an attacker sending a malicious link to a user who then opens it; thus the vulnerability requires user interaction and is classified as a client‑side, reflected XSS.

Generated by OpenCVE AI on June 2, 2026 at 11:22 UTC.

Remediation

No vendor fix or workaround currently provided.

OpenCVE Recommended Actions

  • Apply the latest vendor‑provided patch for Wirtualna Uczelnia when released.
  • Validate and whitelist the locale parameter to ensure it contains only expected values before use.
  • Encode or escape the locale value when reflecting it in the response, and enforce a strong Content‑Security‑Policy that disallows inline script execution.

Generated by OpenCVE AI on June 2, 2026 at 11:22 UTC.

Tracking

Sign in to view the affected projects.

Advisories

No advisories yet.

History

Tue, 02 Jun 2026 11:45:00 +0000

Type Values Removed Values Added
First Time appeared Simple Sa
Simple Sa wirtualna Uczelnia
Vendors & Products Simple Sa
Simple Sa wirtualna Uczelnia

Tue, 02 Jun 2026 10:00:00 +0000

Type Values Removed Values Added
Description Wirtualna Uczelnia is vulnerable to Reflected Cross‑Site Scripting (XSS) due to insecure handling of the locale parameter across multiple endpoints. An attacker can craft a malicious URL with JavaScript embedded in the locale parameter and send it to a victim. When the victim opens the link, the injected script will be executed in their browser. This issue affects Wirtualna Uczelnia versions up to wu#2016.437.295#0#20260327_105545
Title Reflected Cross-Site Scripting (XSS) in Wirtualna Uczelnia
Weaknesses CWE-79
References
Metrics cvssV4_0

{'score': 5.1, 'vector': 'CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:A/VC:N/VI:N/VA:N/SC:L/SI:L/SA:N'}

Subscriptions

Simple Sa Wirtualna Uczelnia
cve-icon MITRE

Status: PUBLISHED

Assigner: CERT-PL

Published:

Updated: 2026-06-02T08:31:09.890Z

Reserved: 2026-03-31T12:34:08.476Z

Link: CVE-2026-34907

cve-icon Vulnrichment

No data.

cve-icon NVD

Status : Received

Published: 2026-06-02T10:16:24.673

Modified: 2026-06-02T10:16:24.673

Link: CVE-2026-34907

cve-icon Redhat

No data.

cve-icon OpenCVE Enrichment

Updated: 2026-06-02T11:30:07Z

Weaknesses