OS Command Injection Vulnerability in Guardian Language System by Guardian
CVE-2026-34109

9.3CRITICAL

Key Information:

Vendor

Guardian

Vendor
CVE Published:
1 July 2026

Badges

๐Ÿ‘พ Exploit Exists

What is CVE-2026-34109?

The Guardian Language System contains a vulnerability in the speech.php file, where the application directly incorporates the 'id' GET parameter into a PHP exec() call without proper sanitization. This flaw allows an unauthenticated attacker to inject shell metacharacters, enabling the execution of arbitrary OS commands on the server. The lack of authentication requirements exacerbates the risk, as it exposes the application to potential exploitation by remote attackers, leveraging this vulnerability for unauthorized access or control over the system.

Affected Version(s)

language-system 0

References

CVSS V4

Score:
9.3
Severity:
CRITICAL
Confidentiality:
High
Integrity:
High
Availability:
High
Attack Vector:
Network
Attack Complexity:
Low
Attack Required:
None
Privileges Required:
Undefined
User Interaction:
None

Timeline

  • ๐ŸŸก

    Public PoC available

  • ๐Ÿ‘พ

    Exploit known to exist

  • Vulnerability published

  • Vulnerability Reserved

Credit

philopentest
.