CVE-2026-34115
CriticalCVSS 9.8Exploitation Probability (EPSS)
Low risk41th percentile — higher than 41% of all known CVEs
Summary
A vulnerability in the Guardian language-system allows an unauthenticated remote attacker to execute arbitrary OS commands by injecting shell metacharacters into the 'id' parameter passed to the PHP exec() function in transcribe_amazon.php.
Risk Assessment
An attacker can take full control of the server, steal data, install malware, or use the server for further attacks, posing a critical threat to the confidentiality, integrity, and availability of the system.
Recommendation
Immediately update the Guardian language-system to the latest patched version and implement input validation and sanitization for all data passed to the exec() function.
Original NVD description (English source)
Guardian language-system passes the id GET parameter directly into a PHP exec() call in transcribe_amazon.php (line 15) without sanitization: exec(\"php jobs/transcribe_amazon.php \".$login_session.\" \".$_GET['id'].\" ...\"). No authentication is required. An unauthenticated remote attacker can append shell metacharacters to execute arbitrary OS commands on the server.

