CVE-2026-34112
CriticalCVSS 9.8Exploitation Probability (EPSS)
Low risk41th percentile — higher than 41% of all known CVEs
Summary
A vulnerability in the Guardian language-system allows an unauthenticated remote attacker to execute arbitrary OS commands by injecting shell metacharacters into the 'id' parameter in speechmac.php.
Risk Assessment
An attacker can gain full control of the server, steal data, install malware, or disrupt system operations.
Recommendation
Immediately update the Guardian language-system to the latest patched version and implement input validation and sanitization for all data passed to the exec() function.
Original NVD description (English source)
Guardian language-system passes the id GET parameter directly into a PHP exec() call in speechmac.php (line 18) without sanitization: exec(\"php jobs/speech_audio_mac.php \".$login_session.\" \".$_GET['id'].\" ...\"). No authentication is required. An unauthenticated remote attacker can append shell metacharacters to execute arbitrary OS commands on the server.

