CVE ID: CVE-2025-12140 Publication Date: November 27, 2025 Vulnerable Software Manufacturer: Simple SA Name of Vulnerable Software: Wirtualna Uczelnia Vulnerable Versions: All versions below wu#2016.1.5513#0#20251014_113353 Type of Vulnerability (CWE): Improper Neutralization of Directives in Dynamically Evaluated Code ('Eval Injection') (CWE-95) Source of Report: Report to CERT Polska Vulnerability Description: CERT Poland received a report about a vulnerability in the Wirtualna Uczelnia software and coordinated the information disclosure process. Vulnerability CVE-2025-12140: The software incorrectly interprets the 'redirectUrlParameter' value as a 'redirectToUrl'. The software interprets the entered string as a Java expression, allowing an unauthorized attacker to execute arbitrary code. The vulnerability was fixed in version wu#2016.1.5513#0#20251014_113353. Acknowledgment: Thank you to Marcin Ressel for reporting the vulnerability.