CRITICALVulnerability
Verified
Global

NVD CRITICAL: CVE-2026-34110 — Guardian language-system passes the id GET parameter directly into a PHP exec() ...

·Source: NIST NVD

Updated:

Executive Summary

Guardian language-system passes the id GET parameter directly into a PHP exec() call in complex_start.php (line 14) without sanitization: exec(\"php jobs/complex.php \".$login_session.\" \".$_GET['id'].\" ...\"). No authentication is required. An unauthenticated remote attacker can append shell metacharacters to execute arbitrary OS commands on the server.

Analysis

Guardian language-system passes the id GET parameter directly into a PHP exec() call in complex_start.php (line 14) without sanitization: exec(\"php jobs/complex.php \".$login_session.\" \".$_GET['id'].\" ...\"). No authentication is required. An unauthenticated remote attacker can append shell metacharacters to execute arbitrary OS commands on the server. CVSS Score: 9.8. Published: 2026-07-01T17:16:34.263.

Indicators of Compromise (1)

CVE (1)
CVE-2026-34110
Source Attribution

Originally published by NIST NVD on Jul 1, 2026. Verified by: NIST.

Related Threats