HarborGuardharborguardDatabase
Back to search
CRITICALCVE-2026-34108Published Modified CNA VulnCheck

CVE-2026-34108: Guardian Language-System Unauthenticated OS Command Injection via id Parameter in text.php

Guardian language-system passes the id GET parameter directly into a PHP exec() call in text.php (line 15) without sanitization: exec(\"php jobs/text.php \".$login_session.\" \".$_GET['id'].\" ...\"). No authentication is required. An unauthenticated remote attacker can append shell metacharacters to execute arbitrary OS commands on the server.

Metrics

CVSS v4.0
9.3
Severity
CRITICAL
Fixed in
Affected Products
1

Get notified

Email me when this CVE is updated: new fix versions, severity changes, or any record change.

HarborGuard Analysis

Synopsis

This is an unauthenticated OS command injection vulnerability in Guardian language-system, a PHP-based language management application. The flaw exists in text.php, where the id GET parameter is passed without sanitization directly into a PHP exec() call, allowing any remote attacker to append shell metacharacters and run arbitrary operating system commands. Successful exploitation gives an attacker full command execution on the server with no credentials required. HarborGuard tracks this advisory and will make a patched-image rebuild available the moment an upstream fix is published.

HarborGuard Coverage

Detection

Detection is available across every HarborGuard environment: the CVE is ingested from upstream feeds within minutes of publication and matched against customer images, including custom-built images that bundle Guardian language-system at or below commit e42c395ec4b03fe62973a669c9209a673838b8a4. Both registry scans and CI pipeline checks are capable of surfacing affected images before they reach production.

Available
Triage

HarborGuard scores this CVE at 9.3 CRITICAL under CVSS v4.0 and is capable of weighting that score against each customer environment's compliance policy to determine urgency. Triage findings are routable to the appropriate team inbox within each customer organization based on image ownership and policy configuration.

Available
Patch

Because no upstream fix version has been published, HarborGuard re-checks the advisory on every ingest cycle and will make a patched-image rebuild available automatically the moment a fix is released. In the interim, customers with auto-remediation or policy enforcement enabled can gate affected images at the pipeline boundary to prevent deployment of vulnerable builds.

Pending upstream

Exploit Conditions

  • Network reachabilityRequired

    The attacker must reach the application over the network; the vulnerable text.php endpoint is exposed via standard HTTP and requires no special network position.

  • AuthenticationNot required

    No credentials of any kind are needed; the vulnerable exec() call is reachable by any unauthenticated HTTP request.

  • Victim interactionNot required

    The attacker sends a crafted GET request directly to the server; no user action or social engineering is involved.

  • Attack complexityDetail

    The exploit is reliable and condition-free; appending shell metacharacters to the id parameter requires no timing, memory layout knowledge, or environmental preconditions.

Blast Radius

  • Attacker executes arbitrary OS commands as the web server process user, enabling full control over the host environment.
  • All data accessible to the server process, including stored credentials, session tokens, and application database contents, is readable by the attacker.
  • Attacker can write, modify, or delete files on the server, including application code, configuration files, and persisted user data.
  • Service availability is fully at the attacker's discretion; the attacker can terminate processes, exhaust resources, or destroy the filesystem.

How HarborGuard Handles This

Available on HarborGuard: continuous advisory monitoring for CVE-2026-34108 across all customer environments running Guardian language-system images. Because no upstream patch exists, HarborGuard re-evaluates the advisory on every ingest cycle and will trigger the standard rebuild-and-PR flow the moment a fix version is published. For customers who opt into auto-remediation, that flow includes a regression-test run and a PR opened against affected workloads with no manual intervention required. While the vulnerability is unpatched, recommended compensating controls include applying network policy rules to restrict inbound HTTP access to the text.php endpoint, enabling egress filtering to limit the blast radius of command execution, and blocking deployment of images containing the affected commit via pipeline policy gates. Where compliance policy permits, HarborGuard can enforce a hard block on affected image tags at the registry or CI stage until a patched version becomes available.

See how HarborGuard automates this
Affected packages
  • guardian / language-system
    ≤ e42c395ec4b03fe62973a669c9209a673838b8a4
CVSS Vector
CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:N/VC:H/VI:H/VA:H/SC:N/SI:N/SA:N