GHSA-xv4q-rvqg-wpq7CriticalCVSS 9.8
Guardian language-system passes the id GET parameter directly into a PHP exec() call in...
🔗 CVE IDs covered (1)
📋 Description
Guardian language-system passes the id GET parameter directly into a PHP exec() call in text_to_subtitles.php (line 19) without sanitization: exec("php jobs/text_to_subtitles.php ".$login_session." ".$_GET['id']." ..."). No authentication is required. An unauthenticated remote attacker can append shell metacharacters to execute arbitrary OS commands on the server.
🔗 References (4)
- https://nvd.nist.gov/vuln/detail/CVE-2026-34117
- https://gist.github.com/cyberinforepo/d5b2771d82e1b31b8fc1c33052e08dad
- https://www.vulncheck.com/advisories/guardian-language-system-unauthenticated-os-command-injection-via-id-parameter-in-text-to-subtitles-php
- https://github.com/advisories/GHSA-xv4q-rvqg-wpq7