Search
Search Results (5 CVEs found)
| CVE | Vendors | Products | Updated | CVSS v3.1 |
|---|---|---|---|---|
| CVE-2026-34906 | 1 Simple Sa | 1 Wirtualna Uczelnia | 2026-06-02 | N/A |
| Server-Side Template Injection (SSTI) in Wirtualna Uczelnia allows an unauthenticated attacker to perform Remote Code Execution (RCE). In the endpoint redirectToUrl and parameter redirectUrlParameter, insufficient input validation permits injection of arbitrary template expressions that are executed on the server. Successful exploitation can allow an attacker to run remote commands, including establishing a reverse shell. This issue affects Wirtualna Uczelnia versions up to wu#2016.437.295#0#20260327_105545 | ||||
| CVE-2026-34907 | 1 Simple Sa | 1 Wirtualna Uczelnia | 2026-06-02 | N/A |
| Wirtualna Uczelnia is vulnerable to Reflected Cross‑Site Scripting (XSS) due to insecure handling of the locale parameter across multiple endpoints. An attacker can craft a malicious URL with JavaScript embedded in the locale parameter and send it to a victim. When the victim opens the link, the injected script will be executed in their browser. This issue affects Wirtualna Uczelnia versions up to wu#2016.437.295#0#20260327_105545 | ||||
| CVE-2026-1198 | 1 Simple Sa | 1 Simple.erp | 2026-04-17 | N/A |
| SIMPLE.ERP is vulnerable to the SQL Injection in search functionality in "Obroty na kontach" window. Lack of input validation allows an authenticated attacker to prepare a malicious query to the database that will be executed. This issue was fixed in 6.30@A04.4_u06. | ||||
| CVE-2025-12140 | 1 Simple Sa | 1 Wirtualna Uczelnia | 2026-04-15 | N/A |
| The application contains an insecure 'redirectToUrl' mechanism that incorrectly processes the value of the 'redirectUrlParameter' parameter. The application interprets the entered string of characters as a Java expression, allowing an unauthenticated attacer to perform arbitrary code execution. This issue was fixed in version wu#2016.1.5513#0#20251014_113353 | ||||
| CVE-2025-9339 | 1 Simple Sa | 1 Simple.erp | 2026-04-15 | N/A |
| SQL injection vulnerability in the fields of warehouse document filtering form in SIMPLE.ERP software allows logged-in user a malicious query injection. Potential exploitation is limited by the 20-character limit in form fields. Identified use case allows to delete tables with a name of maximum 6 characters. We weren't able to identify a way to exfiltrate data within query character limit. This issue affects SIMPLE.ERP in versions before 6.30@a04.3. | ||||
Page 1 of 1.