CVE Catalog

CVE-2026-34116

CriticalCVSS 9.8
Published: Updated: Translated: NVD NIST

Exploitation Probability (EPSS)

Low risk
0.55%

42th percentile — higher than 42% of all known CVEs

Summary

The vulnerability in the Guardian language system passes the 'id' GET parameter directly into a PHP exec() call in transcribe.php without sanitization. An unauthenticated attacker can append shell metacharacters to execute arbitrary OS commands on the server.

Risk Assessment

The risk for the organization includes full server compromise, data theft, malware installation, and use of the server for further attacks. No authentication is required, making remote exploitation easy.

Recommendation

Immediately update the Guardian system to the latest version that fixes this vulnerability. If no update is available, temporarily disable transcribe.php or implement input filtering for the 'id' parameter.

Original NVD description (English source)

Guardian language-system passes the id GET parameter directly into a PHP exec() call in transcribe.php (line 15) without sanitization: exec(\"php jobs/transcribe.php \".$login_session.\" \".$_GET['id'].\" ...\"). No authentication is required. An unauthenticated remote attacker can append shell metacharacters to execute arbitrary OS commands on the server.

Vulnerability data from NVD (NIST) · CISA KEV · EPSS