PT-2026-54742 · Guardian · Language-System

Philopentest

·

Published

2026-07-01

·

Updated

2026-07-01

·

CVE-2026-34106

CVSS v3.1

9.8

Critical

VectorAV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H
Guardian language-system passes the id GET parameter directly into a PHP exec() call in subtitles.php (line 19) without sanitization: exec("php jobs/subtitle rendering.php ".$login session." ".$ GET['id']." ..."). No authentication is required. An unauthenticated remote attacker can append shell metacharacters to the id parameter to execute arbitrary OS commands on the server.

Exploit

Fix

OS Command Injection

Found an issue in the description? Have something to add? Feel free to write us 👾

Weakness Enumeration

Related Identifiers

CVE-2026-34106

Affected Products

Language-System