HarborGuardharborguardDatabase
Back to search
CRITICALCVE-2026-34111Published Modified CNA VulnCheck

CVE-2026-34111: Guardian Language-System Unauthenticated OS Command Injection via id Parameter in speechmac_text.php

Guardian language-system passes the id GET parameter directly into a PHP exec() call in speechmac_text.php (line 18) without sanitization: exec(\"php jobs/speech_audio_mac_text.php \".$login_session.\" \".$_GET['id'].\" ...\"). No authentication is required. An unauthenticated remote attacker can append shell metacharacters to execute arbitrary OS commands on the server.

Metrics

CVSS v4.0
9.3
Severity
CRITICAL
Fixed in
Affected Products
1

Get notified

Email me when this CVE is updated: new fix versions, severity changes, or any record change.

HarborGuard Analysis

Synopsis

An OS command injection vulnerability exists in Guardian language-system, a PHP-based language learning application. The affected component, speechmac_text.php, passes a user-supplied GET parameter directly into a PHP exec() call with no sanitization and no authentication required, meaning any remote attacker who can reach the web server can inject and execute arbitrary shell commands. Successful exploitation gives the attacker full command execution on the host operating system. No fix version has been published; HarborGuard tracks this advisory and will make a patched-image rebuild available as soon as upstream ships a fix.

HarborGuard Coverage

Detection

Detection is available across every HarborGuard environment: the CVE is ingested from upstream feeds within minutes of publication and matched against customer images, including custom-built images that bundle Guardian language-system at or before commit e42c395ec4b03fe62973a669c9209a673838b8a4. Any image carrying the affected codebase is flagged immediately.

Available
Triage

HarborGuard scores this CVE at 9.3 CVSS v4.0 (Critical) and surfaces it with that severity weighting inside each customer environment. Per-environment compliance policy weighting is applied automatically, and the finding is routed to the appropriate team inbox within each customer organization based on configured ownership rules.

Available
Patch

Because no upstream fix version has been published, HarborGuard re-checks the advisory on every ingest cycle and will make a patched-image rebuild available the moment a fix is released. In the interim, customers with network-policy controls or web application firewall rules can apply compensating controls through HarborGuard's policy engine to isolate affected workloads.

Pending upstream

Exploit Conditions

  • Network reachabilityRequired

    The vulnerable endpoint is exposed over the network; an attacker must be able to send HTTP requests to the web server to reach speechmac_text.php.

  • AuthenticationNot required

    No credentials or session token of any kind are needed; the vulnerable parameter is processed before any authentication check.

  • Victim interactionNot required

    The attack is fully server-side; no user action, click, or social engineering is required.

  • Attack complexityDetail

    Exploitation is reliable and condition-free; the attacker simply appends shell metacharacters to the id GET parameter with no race conditions or environmental dependencies to overcome.

Blast Radius

  • Reads any file readable by the web server process, including application source code, configuration files, and stored credentials.
  • Writes or overwrites files on the server filesystem, enabling webshell deployment or modification of application logic.
  • Executes arbitrary OS commands, allowing lateral movement to other systems reachable from the host or installation of persistent backdoors.
  • Crashes or disrupts the affected web service by terminating processes or consuming system resources.

How HarborGuard Handles This

Available on HarborGuard: detection fires within minutes of CVE publication for any image found to include Guardian language-system at or before the affected commit. Because no upstream patch exists yet, HarborGuard monitors the advisory on every ingest cycle and will automatically trigger a patched-image rebuild and, for customers with auto-remediation enabled, a regression test run and a PR opened against affected workloads the moment a fix version is published. While no patch is available, consider applying compensating controls: restrict inbound HTTP access to speechmac_text.php at the network or ingress layer, apply a web application firewall rule that blocks requests containing shell metacharacters in the id parameter, and use HarborGuard's policy engine to flag any deployment of this image in internet-facing workloads as a policy violation requiring manual review.

See how HarborGuard automates this
Affected packages
  • guardian / language-system
    ≤ e42c395ec4b03fe62973a669c9209a673838b8a4
CVSS Vector
CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:N/VC:H/VI:H/VA:H/SC:N/SI:N/SA:N
CVE-2026-34111: Guardian Language-System Unauthenticated OS Command Injection via id Parameter in speechmac_text.php | HarborGuard Database