Description
Guardian language-system passes the id GET parameter directly into a PHP exec() call in complex_start.php (line 14) without sanitization: exec(\"php jobs/complex.php \".$login_session.\" \".$_GET['id'].\" ...\"). No authentication is required. An unauthenticated remote attacker can append shell metacharacters to execute arbitrary OS commands on the server.
Published: 2026-07-01
Score: 9.3 Critical
EPSS: < 1% Very Low
KEV: No
Impact: n/a
Action: n/a
AI Analysis

Impact

Guardian Language‑System’s complex_start.php concatenates the id GET parameter directly into a PHP exec() call without filtering or sanitization. This permits an unauthenticated attacker to inject shell metacharacters in the id value, causing the server to execute arbitrary operating‑system commands. The lack of an authentication requirement removes any user‑level barrier, allowing remote execution from any client that can reach the HTTP endpoint. Exploitation can lead to full system compromise, data loss, or further lateral movement once the attacker gains command execution.

Affected Systems

The vulnerability affects Guardian Language‑System wherever complex_start.php is present. No specific version numbers were supplied in the advisory, so any deployment that has not applied a patch or other mitigation that sanitizes the id parameter is potentially vulnerable.

Risk and Exploitability

The CVSS score of 9.3 reflects critical severity and the obvious zero‑authentication barrier. EPSS data is not available, and the issue is not listed in the CISA KEV catalog. The simplest exploitation path involves sending a crafted HTTP GET request to /complex_start.php with a malicious id string, which the web process processes through exec, achieving unprivileged command execution.

Generated by OpenCVE AI on July 2, 2026 at 13:20 UTC.

Remediation

No vendor fix or workaround currently provided.

OpenCVE Recommended Actions

  • Apply the vendor patch that sanitizes the id parameter before using it in exec()
  • If an immediate patch cannot be deployed, remove or block external access to complex_start.php using web‑server configuration rules
  • Implement application‑level validation, such as allowing only numeric values for id and rejecting any characters that could be interpreted by the shell
  • Replace the insecure exec() usage with a safer interface or symbolic whitelisting approach

Generated by OpenCVE AI on July 2, 2026 at 13:20 UTC.

Tracking

Sign in to view the affected projects.

Advisories

No advisories yet.

History

Wed, 01 Jul 2026 18:30:00 +0000

Type Values Removed Values Added
Metrics ssvc

{'options': {'Automatable': 'yes', 'Exploitation': 'poc', 'Technical Impact': 'total'}, 'version': '2.0.3'}


Wed, 01 Jul 2026 17:15:00 +0000

Type Values Removed Values Added
Description Guardian language-system passes the id GET parameter directly into a PHP exec() call in complex_start.php (line 14) without sanitization: exec(\"php jobs/complex.php \".$login_session.\" \".$_GET['id'].\" ...\"). No authentication is required. An unauthenticated remote attacker can append shell metacharacters to execute arbitrary OS commands on the server.
Title Guardian Language-System Unauthenticated OS Command Injection via id Parameter in complex_start.php
Weaknesses CWE-78
References
Metrics cvssV3_1

{'score': 9.8, 'vector': 'CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H'}

cvssV4_0

{'score': 9.3, 'vector': 'CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:N/VC:H/VI:H/VA:H/SC:N/SI:N/SA:N'}


Subscriptions

No data.

cve-icon MITRE

Status: PUBLISHED

Assigner: VulnCheck

Published:

Updated: 2026-07-01T17:59:19.980Z

Reserved: 2026-03-25T18:43:09.827Z

Link: CVE-2026-34110

cve-icon Vulnrichment

Updated: 2026-07-01T17:50:03.463Z

cve-icon NVD

No data.

cve-icon Redhat

No data.

cve-icon OpenCVE Enrichment

Updated: 2026-07-02T13:30:05Z

Weaknesses
  • CWE-78

    Improper Neutralization of Special Elements used in an OS Command ('OS Command Injection')