CRITICALVulnerability
Verified
Global
NVD CRITICAL: CVE-2026-34114 — Guardian language-system passes the id GET parameter directly into a PHP exec() ...
·Source: NIST NVD
Updated:
Executive Summary
Guardian language-system passes the id GET parameter directly into a PHP exec() call in translate_text.php (line 18) without sanitization: exec(\"php jobs/translate_text.php \".$login_session.\" \".$_GET['id'].\" ...\"). No authentication is required. An unauthenticated remote attacker can append shell metacharacters to execute arbitrary OS commands on the server.
Analysis
Guardian language-system passes the id GET parameter directly into a PHP exec() call in translate_text.php (line 18) without sanitization: exec(\"php jobs/translate_text.php \".$login_session.\" \".$_GET['id'].\" ...\"). No authentication is required. An unauthenticated remote attacker can append shell metacharacters to execute arbitrary OS commands on the server. CVSS Score: 9.8. Published: 2026-07-01T17:16:34.780.