COOEY // HUBcompliance · community · intelligence

Exposures › CVE-2026-34106

CVE-2026-34106

Severity
critical
Source
NVD · cve
Published
2026-07-01
CVSS
9.8
Reference
https://nvd.nist.gov/vuln/detail/CVE-2026-34106
⚡ RCE shame 50/100 rce

Guardian language-system passes the id GET parameter directly into a PHP exec() call in subtitles.php (line 19) without sanitization: exec(\"php jobs/subtitle_rendering.php \".$login_session.\" \".$_GET['id'].\" ...\"). No authentication is required. An unauthenticated remote att

Description

Guardian language-system passes the id GET parameter directly into a PHP exec() call in subtitles.php (line 19) without sanitization: exec(\"php jobs/subtitle_rendering.php \".$login_session.\" \".$_GET['id'].\" ...\"). No authentication is required. An unauthenticated remote attacker can append shell metacharacters to the id parameter to execute arbitrary OS commands on the server.

Affected FedRAMP products 0 in the catalog

No correlated FedRAMP products.