HarborGuardharborguardDatabase
Back to search
CRITICALCVE-2026-34112Published Modified CNA VulnCheck

CVE-2026-34112: Guardian Language-System Unauthenticated OS Command Injection via id Parameter in speechmac.php

Guardian language-system passes the id GET parameter directly into a PHP exec() call in speechmac.php (line 18) without sanitization: exec(\"php jobs/speech_audio_mac.php \".$login_session.\" \".$_GET['id'].\" ...\"). No authentication is required. An unauthenticated remote attacker can append shell metacharacters to execute arbitrary OS commands on the server.

Metrics

CVSS v4.0
9.3
Severity
CRITICAL
Fixed in
Affected Products
1

Get notified

Email me when this CVE is updated: new fix versions, severity changes, or any record change.

HarborGuard Analysis

Synopsis

An OS command injection vulnerability affects Guardian language-system, a PHP-based language learning application. The flaw sits in speechmac.php, where the id GET parameter is passed unsanitized directly into a PHP exec() call; no authentication or special network position is required to reach it. A remote attacker can append shell metacharacters to that parameter and execute arbitrary operating system commands on the server, gaining full read, write, and disruption capability over affected hosts. No upstream fix has been published; HarborGuard tracks the advisory and will make a patched rebuild available the moment one is released.

HarborGuard Coverage

Detection

Detection of CVE-2026-34112 is available across every HarborGuard environment: the CVE is ingested from upstream advisory feeds within minutes of publication and matched against all customer images in connected registries and CI/CD pipelines, including custom-built images that bundle Guardian language-system at or before commit e42c395ec4b03fe62973a669c9209a673838b8a4.

Available
Triage

HarborGuard scores this CVE at CVSS v4.0 9.3 (Critical) and is capable of weighting that score against each customer environment's compliance policy to surface it at the correct priority. Routing to the right team inbox inside each customer org is available based on image ownership and policy configuration.

Available
Patch

Because no upstream fix version has been published, HarborGuard re-checks the advisory on every ingest cycle and will make a patched-image rebuild available automatically the moment an upstream fix is released. For customers with auto-remediation enabled, the rebuild, regression-test run, and PR against affected workloads will be triggered without manual intervention.

Pending upstream

Exploit Conditions

  • Network reachabilityRequired

    The vulnerable speechmac.php endpoint is exposed over the network; an attacker must be able to send HTTP GET requests to the target server.

  • AuthenticationNot required

    No credentials or session token of any kind are needed; the vulnerable code path is fully unauthenticated.

  • Victim interactionNot required

    The attacker sends a crafted HTTP request directly to the server; no user action or social engineering is involved.

  • Attack complexityDetail

    Exploitation is reliable and condition-free; no race conditions, memory layout assumptions, or environmental prerequisites are required.

Blast Radius

  • A successful attacker executes arbitrary OS commands as the web server process user, gaining an interactive shell or the ability to run any binary on the host.
  • The attacker reads any file accessible to the web server process, including application source code, configuration files, and stored credentials or session tokens.
  • The attacker writes or overwrites files on the server, enabling webshell deployment, binary replacement, or corruption of application data.
  • The attacker can crash or resource-exhaust the affected service, taking the application offline for all users.

How HarborGuard Handles This

Available on HarborGuard: because no upstream patch exists for CVE-2026-34112, HarborGuard continuously re-checks the advisory on every ingest cycle and will surface a patched-image rebuild the moment Guardian language-system publishes a fix. In the interim, customers are encouraged to apply compensating controls at the network layer: restrict inbound HTTP access to speechmac.php via ingress network policy or a web application firewall rule that rejects requests containing shell metacharacters in the id parameter; consider removing or disabling the endpoint entirely if speech synthesis is not in active use. For customers with auto-remediation enabled, the rebuild, regression-test run, and PR against affected workloads will be opened automatically once a fix version is available upstream, with no manual steps required. The advisory is flagged at Critical severity (CVSS v4.0 9.3) and will be re-routed to affected team inboxes according to each environment's compliance policy on every ingest cycle until remediation is confirmed.

See how HarborGuard automates this
Affected packages
  • guardian / language-system
    ≤ e42c395ec4b03fe62973a669c9209a673838b8a4
CVSS Vector
CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:N/VC:H/VI:H/VA:H/SC:N/SI:N/SA:N