HarborGuardharborguardDatabase
Back to search
CRITICALCVE-2026-34113Published Modified CNA VulnCheck

CVE-2026-34113: Guardian Language-System Unauthenticated OS Command Injection via id Parameter in speech_text.php

Guardian language-system passes the id GET parameter directly into a PHP exec() call in speech_text.php (line 18) without sanitization: exec(\"php jobs/speech_audio_text.php \".$login_session.\" \".$_GET['id'].\" ...\"). No authentication is required. An unauthenticated remote attacker can append shell metacharacters to execute arbitrary OS commands on the server.

Metrics

CVSS v4.0
9.3
Severity
CRITICAL
Fixed in
Affected Products
1

Get notified

Email me when this CVE is updated: new fix versions, severity changes, or any record change.

HarborGuard Analysis

Synopsis

This is an OS command injection vulnerability in Guardian language-system, a PHP-based application. The flaw exists in speech_text.php, where the id GET parameter is passed directly into a PHP exec() call without any sanitization or authentication check, allowing an unauthenticated attacker to reach it over the network by appending shell metacharacters to a simple HTTP request. Successful exploitation gives the attacker arbitrary OS command execution on the server, enabling full system compromise including data theft, file modification, and persistent access. HarborGuard is tracking the advisory for patch availability since no fix version has been published upstream.

HarborGuard Coverage

Detection

Detection for CVE-2026-34113 is available across every HarborGuard environment: the CVE is ingested from upstream feeds within minutes of publication and matched against all customer images, including custom-built images that bundle Guardian language-system at the affected commit. Any image containing a version at or before commit e42c395ec4b03fe62973a669c9209a673838b8a4 is flagged automatically.

Available
Triage

HarborGuard scores this CVE at 9.3 CRITICAL using the CVSS v4.0 vector and surfaces it at the top of the severity queue. Per-environment compliance policy weighting is applied before routing the finding to the appropriate team inbox within each customer organization.

Available
Patch

Because no upstream fix has been published, HarborGuard re-checks the advisory on every ingest cycle and will make a patched-image rebuild available the moment a fix is released upstream. In the meantime, customers with auto-remediation enabled can apply compensating controls such as network-policy isolation rules or egress filtering through HarborGuard-generated policy PRs where their compliance policy permits.

Pending upstream

Exploit Conditions

  • Network reachabilityRequired

    The vulnerable endpoint is exposed over the network; an attacker must be able to send HTTP requests to the server running speech_text.php.

  • AuthenticationNot required

    No credentials or session token of any kind are required; the vulnerable exec() call is reachable by any unauthenticated HTTP request.

  • Victim interactionNot required

    The attacker sends a crafted HTTP GET request directly to the server; no user action or social engineering is needed.

  • Attack complexityDetail

    Exploitation is reliable and condition-free; appending shell metacharacters to the id parameter requires no race conditions, memory layout knowledge, or environmental setup.

Blast Radius

  • Attacker executes arbitrary OS commands as the web server process user, enabling full read access to all files on the host including credentials, private keys, and application data.
  • Attacker can write or overwrite files on the server, modifying application code, configuration, or injecting backdoors for persistent access.
  • Attacker can crash or kill running processes on the host, taking down the affected service and any co-located services.

How HarborGuard Handles This

Available on HarborGuard: because no upstream patch exists for CVE-2026-34113, HarborGuard monitors the advisory on every ingest cycle and will surface a patched-image rebuild the moment Guardian language-system ships a fix. While the vulnerability is unpatched, customers can use HarborGuard to apply compensating controls: network policy isolation to restrict inbound HTTP access to speech_text.php at the container or namespace level, egress filtering to limit outbound connections from the affected workload, and runtime alerting on exec-family syscalls from the PHP process. For customers who opt into auto-remediation, a rebuild, regression-test run, and PR against affected workloads will be opened automatically as soon as an upstream fix is published. Given the critical severity and zero-barrier exploitability of this issue, immediate manual review of any image containing this component is strongly recommended regardless of auto-remediation configuration.

See how HarborGuard automates this
Affected packages
  • guardian / language-system
    ≤ e42c395ec4b03fe62973a669c9209a673838b8a4
CVSS Vector
CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:N/VC:H/VI:H/VA:H/SC:N/SI:N/SA:N