CVE-2026-34106
CriticalCVSS 9.8Exploitation Probability (EPSS)
Low risk48th percentile — higher than 48% of all known CVEs
Summary
The vulnerability in the Guardian language-system directly passes the id GET parameter into a PHP exec() call in subtitles.php without sanitization. An unauthenticated remote attacker can append shell metacharacters to the id parameter to execute arbitrary OS commands on the server.
Risk Assessment
Lack of authentication and remote code execution (RCE) pose a critical risk of server takeover, data theft, or using the server as a pivot point for further attacks within the internal network.
Recommendation
Immediately update the Guardian system to the latest patched version. Until then, disable or secure access to subtitles.php by filtering the id parameter and applying network access restrictions.
Original NVD description (English source)
Guardian language-system passes the id GET parameter directly into a PHP exec() call in subtitles.php (line 19) without sanitization: exec(\"php jobs/subtitle_rendering.php \".$login_session.\" \".$_GET['id'].\" ...\"). No authentication is required. An unauthenticated remote attacker can append shell metacharacters to the id parameter to execute arbitrary OS commands on the server.

