Back to CVE List

CVE-2026-34106

CRITICAL SEVERITY

CVSS Score & Metrics

Base Score
9.8 / 10
Vector String
CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H

Vulnerability Description

Guardian language-system passes the id GET parameter directly into a PHP exec() call in subtitles.php (line 19) without sanitization: exec(\"php jobs/subtitle_rendering.php \".$login_session.\" \".$_GET['id'].\" ...\"). No authentication is required. An unauthenticated remote attacker can append shell metacharacters to the id parameter to execute arbitrary OS commands on the server.

Vulnerability Details

Published Date
Last Modified
CWE ID
CWE-78
Source
NVD
Vendor
guardian
Product
language-system

External References

Discussion (0)

Add Comment

No comments yet. Be the first!