CVE Catalog

CVE-2026-34107

CriticalCVSS 9.8
Published: Updated: Translated: NVD NIST

Exploitation Probability (EPSS)

Low risk
0.68%

48th percentile — higher than 48% of all known CVEs

Summary

The vulnerability in the Guardian language-system passes the id GET parameter directly into a PHP exec() call in translate.php (line 14) without sanitization. An unauthenticated remote attacker can append shell metacharacters to execute arbitrary OS commands on the server.

Risk Assessment

The risk for the organization includes full server compromise, data theft, malware installation, and use of the server for further attacks. The lack of required authentication increases the severity of the threat.

Recommendation

Immediately update the Guardian language-system to the latest version that fixes this vulnerability. Until the update, disable or secure the translate.php file and apply input filtering and validation to all user inputs.

Original NVD description (English source)

Guardian language-system passes the id GET parameter directly into a PHP exec() call in translate.php (line 14) without sanitization: exec(\"php jobs/translate.php \".$login_session.\" \".$_GET['id'].\" ...\"). No authentication is required. An unauthenticated remote attacker can append shell metacharacters to execute arbitrary OS commands on the server.

Vulnerability data from NVD (NIST) · CISA KEV · EPSS