CVE-2026-34114
CriticalCVSS 9.8Exploitation Probability (EPSS)
Low risk41th percentile — higher than 41% of all known CVEs
Summary
A vulnerability in the Guardian language system allows an unauthenticated remote attacker to execute arbitrary OS commands by injecting shell metacharacters into the 'id' parameter in translate_text.php. The lack of input validation and direct use of the parameter in an exec() call enables exploitation without authentication.
Risk Assessment
The organization faces complete server compromise, potentially leading to data theft, malware installation, or use of the server for further attacks. The absence of authentication requirements increases the risk of exploitation by anyone with network access.
Recommendation
Immediately update the Guardian system to the latest version that includes a fix for this vulnerability. Until the update is applied, block access to translate_text.php via firewall or web server configuration.
Original NVD description (English source)
Guardian language-system passes the id GET parameter directly into a PHP exec() call in translate_text.php (line 18) without sanitization: exec(\"php jobs/translate_text.php \".$login_session.\" \".$_GET['id'].\" ...\"). No authentication is required. An unauthenticated remote attacker can append shell metacharacters to execute arbitrary OS commands on the server.

