CRITICALVulnerability
Verified
Global
NVD CRITICAL: CVE-2026-34110 — Guardian language-system passes the id GET parameter directly into a PHP exec() ...
·Source: NIST NVD
Updated:
Executive Summary
Guardian language-system passes the id GET parameter directly into a PHP exec() call in complex_start.php (line 14) without sanitization: exec(\"php jobs/complex.php \".$login_session.\" \".$_GET['id'].\" ...\"). No authentication is required. An unauthenticated remote attacker can append shell metacharacters to execute arbitrary OS commands on the server.
Analysis
Guardian language-system passes the id GET parameter directly into a PHP exec() call in complex_start.php (line 14) without sanitization: exec(\"php jobs/complex.php \".$login_session.\" \".$_GET['id'].\" ...\"). No authentication is required. An unauthenticated remote attacker can append shell metacharacters to execute arbitrary OS commands on the server. CVSS Score: 9.8. Published: 2026-07-01T17:16:34.263.