CVE-2026-34108
CriticalCVSS 9.8Exploitation Probability (EPSS)
Low risk42th percentile — higher than 42% of all known CVEs
Summary
A vulnerability in the Guardian language-system allows an unauthenticated remote attacker to execute arbitrary OS commands by injecting shell metacharacters into the id parameter passed to the exec() function in text.php.
Risk Assessment
An attacker can gain full control of the server, steal data, install malware, or disrupt service availability.
Recommendation
Immediately update the Guardian language-system to the latest patched version and sanitize all input passed to exec() calls.
Original NVD description (English source)
Guardian language-system passes the id GET parameter directly into a PHP exec() call in text.php (line 15) without sanitization: exec(\"php jobs/text.php \".$login_session.\" \".$_GET['id'].\" ...\"). No authentication is required. An unauthenticated remote attacker can append shell metacharacters to execute arbitrary OS commands on the server.

