CVE-2026-34107: Guardian Language-System Unauthenticated OS Command Injection via id Parameter in translate.php
Guardian language-system passes the id GET parameter directly into a PHP exec() call in translate.php (line 14) without sanitization: exec(\"php jobs/translate.php \".$login_session.\" \".$_GET['id'].\" ...\"). No authentication is required. An unauthenticated remote attacker can append shell metacharacters to execute arbitrary OS commands on the server.
Metrics
- CVSS v4.0
- 9.3
- Severity
- CRITICAL
- Fixed in
- —
- Affected Products
- 1
HarborGuard Analysis
Synopsis
This is an OS command injection vulnerability in the Guardian language-system web application. An unauthenticated attacker reachable over the network can append shell metacharacters to the id GET parameter in translate.php, which is passed unsanitized into a PHP exec() call, causing the server to run arbitrary operating system commands. Successful exploitation gives the attacker full control over command execution on the host, enabling data theft, file modification, or complete server takeover. No fix version has been published yet; HarborGuard tracks the upstream advisory and will make a patched-image rebuild available the moment a fix is released.
HarborGuard Coverage
Detection for CVE-2026-34107 is available across every HarborGuard environment: the CVE is ingested from upstream feeds within minutes of publication and matched against all customer images in connected registries and CI/CD pipelines, including custom-built images that bundle the guardian language-system package at or below commit e42c395ec4b03fe62973a669c9209a673838b8a4.
AvailableHarborGuard is capable of scoring this CVE at its published CVSS v4.0 rating of 9.3 (Critical) and weighting the finding against each customer environment's compliance policy to determine urgency. Routed alerts can reach the appropriate team inbox within each customer org based on configured ownership rules.
AvailableBecause no upstream fix version has been published, HarborGuard re-checks the advisory on every ingest cycle and will make a patched-image rebuild available automatically the moment the upstream maintainer ships a remediated release. For customers who opt into auto-remediation, the rebuild, regression-test run, and PR against affected workloads will trigger without manual intervention once a fix becomes available.
Pending upstreamExploit Conditions
- Network reachabilityRequired
The attacker must be able to send HTTP GET requests to the vulnerable translate.php endpoint over the network; any internet-exposed or internally reachable deployment is in scope.
- AuthenticationNot required
No credentials or session tokens of any kind are needed; the vulnerable exec() call is reachable by any anonymous HTTP request.
- Victim interactionNot required
The attacker sends a crafted request directly to the server; no user action, click, or social engineering is involved.
- Attack complexityDetail
Exploitation is straightforward and condition-free: appending standard shell metacharacters to the id parameter is sufficient, with no race conditions or environment-specific prerequisites.
Blast Radius
- The attacker executes arbitrary OS commands as the web server process user, which can include reading any file readable by that account such as application secrets, credentials, and session data.
- The attacker can write or overwrite files on the server, enabling webshell placement, binary replacement, or corruption of stored application data.
- The attacker can crash or kill running processes, causing the affected service to become unavailable.
- With command execution established, the attacker can use the compromised host as a pivot point to probe other services on the same internal network segment.
How HarborGuard Handles This
Available on HarborGuard: detection for this critical-severity, no-fix-available CVE is active across all connected environments, with results surfaced in each customer's findings dashboard. Because no upstream patch exists, the recommended immediate compensating controls include isolating the container running guardian language-system behind a network policy that restricts inbound HTTP access to trusted sources only, applying egress filtering to limit outbound connections from the container, and disabling or gating the translate.php endpoint via a feature flag or WAF rule until a fix is published. HarborGuard re-evaluates the advisory on every ingest cycle; for customers who opt into auto-remediation, a patched-image rebuild, regression-test run, and PR against affected workloads will be triggered automatically once the guardian maintainers publish a remediated version.
- guardian / language-system≤ e42c395ec4b03fe62973a669c9209a673838b8a4
CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:N/VC:H/VI:H/VA:H/SC:N/SI:N/SA:N