Goal Reached Thanks to every supporter — we hit 100%!

Goal: 1000 CNY · Raised: 1336 CNY

100%

CVE-2026-34110— Guardian Language-System Unauthenticated OS Command Injection via id Parameter in complex_start.php

CVSS 9.8 · Critical

Possible ATT&CK Techniques 1AI

T1190 · Exploit Public-Facing Application
Get alerts for future matching vulnerabilitiesLog in to subscribe

I. Basic Information for CVE-2026-34110

Vulnerability Information

Have questions about the vulnerability? See if Shenlong's analysis helps!
View Shenlong Deep Dive ↗

Although we use advanced large model technology, its output may still contain inaccurate or outdated information.Shenlong tries to ensure data accuracy, but please verify and judge based on the actual situation.

Vulnerability Title
Guardian Language-System Unauthenticated OS Command Injection via id Parameter in complex_start.php
Source: NVD (National Vulnerability Database)
Vulnerability Description
Guardian language-system passes the id GET parameter directly into a PHP exec() call in complex_start.php (line 14) without sanitization: exec(\"php jobs/complex.php \".$login_session.\" \".$_GET['id'].\" ...\"). No authentication is required. An unauthenticated remote attacker can append shell metacharacters to execute arbitrary OS commands on the server.
Source: NVD (National Vulnerability Database)
CVSS Information
CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H
Source: NVD (National Vulnerability Database)
Vulnerability Type
OS命令中使用的特殊元素转义处理不恰当(OS命令注入)
Source: NVD (National Vulnerability Database)

Affected Products

VendorProductAffected VersionsCPESubscribe
guardianlanguage-system 0 ~ e42c395ec4b03fe62973a669c9209a673838b8a4 -

II. Public POCs for CVE-2026-34110

#POC DescriptionSource LinkShenlong Link
AI-Generated POCPremium

No public POC found.

Login to generate AI POC

III. Intelligence Information for CVE-2026-34110

登录查看更多情报信息。

Proof of Concept for CVE-2026-34110 (1)

Other References for CVE-2026-34110 (1)

Same Patch Batch · guardian · 2026-07-01 · 22 CVEs total

CVE-2026-340999.8 CRITICALGuardian Language-System Unauthenticated SQL Injection via id Parameter in job_info.php
CVE-2026-341099.8 CRITICALGuardian Language-System Unauthenticated OS Command Injection via id Parameter in speech.p
CVE-2026-341139.8 CRITICALGuardian Language-System Unauthenticated OS Command Injection via id Parameter in speech_t
CVE-2026-341049.8 CRITICALGuardian Language-System Unauthenticated SQL Injection via name Parameter in designer.php
CVE-2026-341079.8 CRITICALGuardian Language-System Unauthenticated OS Command Injection via id Parameter in translat
CVE-2026-341149.8 CRITICALGuardian Language-System Unauthenticated OS Command Injection via id Parameter in translat
CVE-2026-341159.8 CRITICALGuardian Language-System Unauthenticated OS Command Injection via id Parameter in transcri
CVE-2026-341119.8 CRITICALGuardian Language-System Unauthenticated OS Command Injection via id Parameter in speechma
CVE-2026-341029.8 CRITICALGuardian Language-System Unauthenticated SQL Injection via id Parameter in job_info_get.ph
CVE-2026-341089.8 CRITICALGuardian Language-System Unauthenticated OS Command Injection via id Parameter in text.php
CVE-2026-341169.8 CRITICALGuardian Language-System Unauthenticated OS Command Injection via id Parameter in transcri
CVE-2026-341039.8 CRITICALGuardian Language-System Unauthenticated SQL Injection via id Parameter in subtitles.php
CVE-2026-341019.8 CRITICALGuardian Language-System Unauthenticated SQL Injection via id Parameter in text_file.php
CVE-2026-341129.8 CRITICALGuardian Language-System Unauthenticated OS Command Injection via id Parameter in speechma
CVE-2026-341069.8 CRITICALGuardian Language-System Unauthenticated OS Command Injection via id Parameter in subtitle
CVE-2026-341009.8 CRITICALGuardian Language-System Unauthenticated SQL Injection via id Parameter in media.php
CVE-2026-341179.8 CRITICALGuardian Language-System Unauthenticated OS Command Injection via id Parameter in text_to_
CVE-2026-341059.8 CRITICALGuardian Language-System Unauthenticated SQL Injection via id Parameter in translate_text.
CVE-2026-340964.6 MEDIUMGuardian Language-System XSS via name Parameter in designer.php
CVE-2026-340984.6 MEDIUMGuardian Language-System XSS via id Parameter in media.php

Showing top 20 of 22 CVEs. View all on vendor page → →

IV. Related Vulnerabilities

V. Comments for CVE-2026-34110

No comments yet


Leave a comment