OS Command Injection in Guardian Language System by Guardian Technologies
CVE-2026-34116

9.3CRITICAL

Key Information:

Vendor

Guardian

Vendor
CVE Published:
1 July 2026

Badges

๐Ÿ‘พ Exploit Exists

What is CVE-2026-34116?

The Guardian Language System contains a vulnerability where the 'id' parameter in transcribe.php is directly passed to a PHP exec() command without proper sanitization. This scenario allows unauthenticated remote attackers to inject arbitrary OS commands by appending shell metacharacters to the 'id' parameter, leading to potential control over the server's operating system. The lack of authentication checks significantly heightens the risk, making it imperative for users to secure their installations.

Affected Version(s)

language-system 0

References

CVSS V4

Score:
9.3
Severity:
CRITICAL
Confidentiality:
High
Integrity:
High
Availability:
High
Attack Vector:
Network
Attack Complexity:
Low
Attack Required:
None
Privileges Required:
Undefined
User Interaction:
None

Timeline

  • ๐ŸŸก

    Public PoC available

  • ๐Ÿ‘พ

    Exploit known to exist

  • Vulnerability published

  • Vulnerability Reserved

Credit

philopentest
.