CVE-2026-34117
CRITICALGuardian Language-System Unauthenticated OS Command Injection via id Parameter in text_to_subtitles.php
Title source: cnaDescription
Guardian language-system passes the id GET parameter directly into a PHP exec() call in text_to_subtitles.php (line 19) without sanitization: exec(\"php jobs/text_to_subtitles.php \".$login_session.\" \".$_GET['id'].\" ...\"). No authentication is required. An unauthenticated remote attacker can append shell metacharacters to execute arbitrary OS commands on the server.
References (2)
Core 2
Core References
Exploit technical-description
exploit
Researcher Disclosure
https://gist.github.com/cyberinforepo/d5b2771d82e1b31b8fc1c33052e08dad
Third Party Advisory third-party-advisory
https://www.vulncheck.com/advisories/guardian-language-system-unauthenticated-os-command-injection-via-id-parameter-in-text-to-subtitles-php
Scores
CVSS v3
9.8
EPSS
0.0054
EPSS Percentile
41.3%
Attack Vector
NETWORK
CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H
CISA SSVC
Vulnrichment
Exploitation
poc
Automatable
yes
Technical Impact
total
Details
CWE
CWE-78
Status
published
Products (1)
guardian/language-system
< e42c395ec4b03fe62973a669c9209a673838b8a4
Published
Jul 01, 2026
Tracked Since
Jul 01, 2026