CVE Catalog

CVE-2026-34112

CriticalCVSS 9.8
Published: Updated: Translated: NVD NIST

Exploitation Probability (EPSS)

Low risk
0.54%

41th percentile — higher than 41% of all known CVEs

Summary

A vulnerability in the Guardian language-system allows an unauthenticated remote attacker to execute arbitrary OS commands by injecting shell metacharacters into the 'id' parameter in speechmac.php.

Risk Assessment

An attacker can gain full control of the server, steal data, install malware, or disrupt system operations.

Recommendation

Immediately update the Guardian language-system to the latest patched version and implement input validation and sanitization for all data passed to the exec() function.

Original NVD description (English source)

Guardian language-system passes the id GET parameter directly into a PHP exec() call in speechmac.php (line 18) without sanitization: exec(\"php jobs/speech_audio_mac.php \".$login_session.\" \".$_GET['id'].\" ...\"). No authentication is required. An unauthenticated remote attacker can append shell metacharacters to execute arbitrary OS commands on the server.

Vulnerability data from NVD (NIST) · CISA KEV · EPSS