CRITICALVulnerability
Verified
Global
NVD CRITICAL: CVE-2026-34107 — Guardian language-system passes the id GET parameter directly into a PHP exec() ...
·Source: NIST NVD
Updated:
Executive Summary
Guardian language-system passes the id GET parameter directly into a PHP exec() call in translate.php (line 14) without sanitization: exec(\"php jobs/translate.php \".$login_session.\" \".$_GET['id'].\" ...\"). No authentication is required. An unauthenticated remote attacker can append shell metacharacters to execute arbitrary OS commands on the server.
Analysis
Guardian language-system passes the id GET parameter directly into a PHP exec() call in translate.php (line 14) without sanitization: exec(\"php jobs/translate.php \".$login_session.\" \".$_GET['id'].\" ...\"). No authentication is required. An unauthenticated remote attacker can append shell metacharacters to execute arbitrary OS commands on the server. CVSS Score: 9.8. Published: 2026-07-01T17:16:33.837.