CVE-2026-34112 CRITICAL

CVE-2026-34112: Guardian Language-System Unauthenticated OS Command Injection via id Parameter in speechmac.php

Vendor Guardian
Product language-system
Weakness CWE-78
Published July 1, 2026
Last update July 1, 2026

CVSS base score

9.3/10
Attack vector Network
Attack complexity Low
Privileges required None
User interaction None
Confidentiality
Integrity

CVSS vector

CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:N/VC:H/VI:H/VA:H/SC:N/SI:N/SA:N

What the vulnerability does

01Description

Guardian language-system passes the id GET parameter directly into a PHP exec() call in speechmac.php (line 18) without sanitization: exec(\"php jobs/speech_audio_mac.php \".$login_session.\" \".$_GET['id'].\" ...\"). No authentication is required. An unauthenticated remote attacker can append shell metacharacters to execute arbitrary OS commands on the server.

Key dates

02Disclosure timeline

July 1, 2026 CVE published
July 1, 2026 Record updated