CVE Catalog

CVE-2026-34106

CriticalCVSS 9.8
Published: Updated: Translated: NVD NIST

Exploitation Probability (EPSS)

Low risk
0.68%

48th percentile — higher than 48% of all known CVEs

Summary

The vulnerability in the Guardian language-system directly passes the id GET parameter into a PHP exec() call in subtitles.php without sanitization. An unauthenticated remote attacker can append shell metacharacters to the id parameter to execute arbitrary OS commands on the server.

Risk Assessment

Lack of authentication and remote code execution (RCE) pose a critical risk of server takeover, data theft, or using the server as a pivot point for further attacks within the internal network.

Recommendation

Immediately update the Guardian system to the latest patched version. Until then, disable or secure access to subtitles.php by filtering the id parameter and applying network access restrictions.

Original NVD description (English source)

Guardian language-system passes the id GET parameter directly into a PHP exec() call in subtitles.php (line 19) without sanitization: exec(\"php jobs/subtitle_rendering.php \".$login_session.\" \".$_GET['id'].\" ...\"). No authentication is required. An unauthenticated remote attacker can append shell metacharacters to the id parameter to execute arbitrary OS commands on the server.

Vulnerability data from NVD (NIST) · CISA KEV · EPSS