CVE-2026-34117 Guardian Language-System Unauthenticated OS Command Injection via id Parameter in text_to_subtitles.php
Guardian language-system passes the id GET parameter directly into a PHP exec call in texttosubtitles.php line 19 without sanitization: exec"php jobs/texttosubtitles.php ".$loginsession." ".$GET'id'." ...". No authentication is required. An unauthenticated remote attacker can append shell...