CVE-2026-34108: Guardian Language-System Unauthenticated OS Command Injection via id Parameter in text.php
Guardian language-system passes the id GET parameter directly into a PHP exec() call in text.php (line 15) without sanitization: exec(\"php jobs/text.php \".$login_session.\" \".$_GET['id'].\" ...\"). No authentication is required. An unauthenticated remote attacker can append shell metacharacters to execute arbitrary OS commands on the server.
Metrics
- CVSS v4.0
- 9.3
- Severity
- CRITICAL
- Fixed in
- —
- Affected Products
- 1
HarborGuard Analysis
Synopsis
This is an unauthenticated OS command injection vulnerability in Guardian language-system, a PHP-based language management application. The flaw exists in text.php, where the id GET parameter is passed without sanitization directly into a PHP exec() call, allowing any remote attacker to append shell metacharacters and run arbitrary operating system commands. Successful exploitation gives an attacker full command execution on the server with no credentials required. HarborGuard tracks this advisory and will make a patched-image rebuild available the moment an upstream fix is published.
HarborGuard Coverage
Detection is available across every HarborGuard environment: the CVE is ingested from upstream feeds within minutes of publication and matched against customer images, including custom-built images that bundle Guardian language-system at or below commit e42c395ec4b03fe62973a669c9209a673838b8a4. Both registry scans and CI pipeline checks are capable of surfacing affected images before they reach production.
AvailableHarborGuard scores this CVE at 9.3 CRITICAL under CVSS v4.0 and is capable of weighting that score against each customer environment's compliance policy to determine urgency. Triage findings are routable to the appropriate team inbox within each customer organization based on image ownership and policy configuration.
AvailableBecause no upstream fix version has been published, HarborGuard re-checks the advisory on every ingest cycle and will make a patched-image rebuild available automatically the moment a fix is released. In the interim, customers with auto-remediation or policy enforcement enabled can gate affected images at the pipeline boundary to prevent deployment of vulnerable builds.
Pending upstreamExploit Conditions
- Network reachabilityRequired
The attacker must reach the application over the network; the vulnerable text.php endpoint is exposed via standard HTTP and requires no special network position.
- AuthenticationNot required
No credentials of any kind are needed; the vulnerable exec() call is reachable by any unauthenticated HTTP request.
- Victim interactionNot required
The attacker sends a crafted GET request directly to the server; no user action or social engineering is involved.
- Attack complexityDetail
The exploit is reliable and condition-free; appending shell metacharacters to the id parameter requires no timing, memory layout knowledge, or environmental preconditions.
Blast Radius
- Attacker executes arbitrary OS commands as the web server process user, enabling full control over the host environment.
- All data accessible to the server process, including stored credentials, session tokens, and application database contents, is readable by the attacker.
- Attacker can write, modify, or delete files on the server, including application code, configuration files, and persisted user data.
- Service availability is fully at the attacker's discretion; the attacker can terminate processes, exhaust resources, or destroy the filesystem.
How HarborGuard Handles This
Available on HarborGuard: continuous advisory monitoring for CVE-2026-34108 across all customer environments running Guardian language-system images. Because no upstream patch exists, HarborGuard re-evaluates the advisory on every ingest cycle and will trigger the standard rebuild-and-PR flow the moment a fix version is published. For customers who opt into auto-remediation, that flow includes a regression-test run and a PR opened against affected workloads with no manual intervention required. While the vulnerability is unpatched, recommended compensating controls include applying network policy rules to restrict inbound HTTP access to the text.php endpoint, enabling egress filtering to limit the blast radius of command execution, and blocking deployment of images containing the affected commit via pipeline policy gates. Where compliance policy permits, HarborGuard can enforce a hard block on affected image tags at the registry or CI stage until a patched version becomes available.
- guardian / language-system≤ e42c395ec4b03fe62973a669c9209a673838b8a4
CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:N/VC:H/VI:H/VA:H/SC:N/SI:N/SA:N