OS Command Injection in Guardian Language System by Vendor Guardian
CVE-2026-34106

9.3CRITICAL

Key Information:

Vendor

Guardian

Vendor
CVE Published:
1 July 2026

Badges

๐Ÿ‘พ Exploit Exists

What is CVE-2026-34106?

The Guardian Language System has a significant security vulnerability where it directly passes the 'id' parameter from the URL into a PHP exec() call without proper sanitization. This flaw, located in the subtitles.php file, allows unauthenticated attackers to manipulate the 'id' parameter, potentially leading to the execution of arbitrary operating system commands. This could compromise the server's integrity and expose sensitive data, making it crucial for users to address this issue promptly.

Affected Version(s)

language-system 0

References

CVSS V4

Score:
9.3
Severity:
CRITICAL
Confidentiality:
High
Integrity:
High
Availability:
High
Attack Vector:
Network
Attack Complexity:
Low
Attack Required:
None
Privileges Required:
Undefined
User Interaction:
None

Timeline

  • ๐ŸŸก

    Public PoC available

  • ๐Ÿ‘พ

    Exploit known to exist

  • Vulnerability published

  • Vulnerability Reserved

Credit

philopentest
.