CRITICALVulnerability
Verified
Global

NVD CRITICAL: CVE-2026-34108 — Guardian language-system passes the id GET parameter directly into a PHP exec() ...

·Source: NIST NVD

Updated:

Executive Summary

Guardian language-system passes the id GET parameter directly into a PHP exec() call in text.php (line 15) without sanitization: exec(\"php jobs/text.php \".$login_session.\" \".$_GET['id'].\" ...\"). No authentication is required. An unauthenticated remote attacker can append shell metacharacters to execute arbitrary OS commands on the server.

Analysis

Guardian language-system passes the id GET parameter directly into a PHP exec() call in text.php (line 15) without sanitization: exec(\"php jobs/text.php \".$login_session.\" \".$_GET['id'].\" ...\"). No authentication is required. An unauthenticated remote attacker can append shell metacharacters to execute arbitrary OS commands on the server. CVSS Score: 9.8. Published: 2026-07-01T17:16:33.970.

Indicators of Compromise (1)

CVE (1)
CVE-2026-34108
Source Attribution

Originally published by NIST NVD on Jul 1, 2026. Verified by: NIST.

Related Threats