CVE Catalog

CVE-2026-34117

CriticalCVSS 9.8
Published: Updated: Translated: NVD NIST

Exploitation Probability (EPSS)

Low risk
0.54%

41th percentile — higher than 41% of all known CVEs

Summary

The vulnerability in the Guardian language-system passes the 'id' GET parameter directly into a PHP exec() call in text_to_subtitles.php (line 19) without sanitization. No authentication is required, allowing an unauthenticated remote attacker to append shell metacharacters and execute arbitrary OS commands on the server.

Risk Assessment

The risk for the organization includes full server compromise, data theft, malware installation, and use of the server for further attacks. The lack of authentication requirement increases the likelihood of exploitation.

Recommendation

Immediately update the Guardian system to the latest version that fixes this vulnerability. Until the update is applied, disable or secure the text_to_subtitles.php file and implement input parameter filtering.

Original NVD description (English source)

Guardian language-system passes the id GET parameter directly into a PHP exec() call in text_to_subtitles.php (line 19) without sanitization: exec(\"php jobs/text_to_subtitles.php \".$login_session.\" \".$_GET['id'].\" ...\"). No authentication is required. An unauthenticated remote attacker can append shell metacharacters to execute arbitrary OS commands on the server.

Vulnerability data from NVD (NIST) · CISA KEV · EPSS