CVE Catalog

CVE-2026-34108

CriticalCVSS 9.8
Published: Updated: Translated: NVD NIST

Exploitation Probability (EPSS)

Low risk
0.55%

42th percentile — higher than 42% of all known CVEs

Summary

A vulnerability in the Guardian language-system allows an unauthenticated remote attacker to execute arbitrary OS commands by injecting shell metacharacters into the id parameter passed to the exec() function in text.php.

Risk Assessment

An attacker can gain full control of the server, steal data, install malware, or disrupt service availability.

Recommendation

Immediately update the Guardian language-system to the latest patched version and sanitize all input passed to exec() calls.

Original NVD description (English source)

Guardian language-system passes the id GET parameter directly into a PHP exec() call in text.php (line 15) without sanitization: exec(\"php jobs/text.php \".$login_session.\" \".$_GET['id'].\" ...\"). No authentication is required. An unauthenticated remote attacker can append shell metacharacters to execute arbitrary OS commands on the server.

Vulnerability data from NVD (NIST) · CISA KEV · EPSS