CVE-2026-34114: Guardian Language-System Unauthenticated OS Command Injection via id Parameter in translate_text.php
Guardian language-system passes the id GET parameter directly into a PHP exec() call in translate_text.php (line 18) without sanitization: exec(\"php jobs/translate_text.php \".$login_session.\" \".$_GET['id'].\" ...\"). No authentication is required. An unauthenticated remote attacker can append shell metacharacters to execute arbitrary OS commands on the server.
Metrics
- CVSS v4.0
- 9.3
- Severity
- CRITICAL
- Fixed in
- —
- Affected Products
- 1
HarborGuard Analysis
Synopsis
An unauthenticated OS command injection vulnerability exists in Guardian language-system, a PHP-based translation application. The flaw is reachable over the network with no credentials required: the id GET parameter in translate_text.php is passed directly into a PHP exec() call without any sanitization, letting an attacker append shell metacharacters and run arbitrary operating system commands. Successful exploitation gives an attacker full command execution on the server, enabling data theft, file modification, or complete host takeover. HarborGuard tracks this advisory and will make a patched-image rebuild available the moment an upstream fix is published.
HarborGuard Coverage
Detection of CVE-2026-34114 is available across every HarborGuard environment - the CVE is ingested from upstream feeds within minutes of publication and matched against all customer images, including custom-built images derived from guardian/language-system. Any image at or below commit e42c395ec4b03fe62973a669c9209a673838b8a4 is flagged automatically.
AvailableHarborGuard scores this CVE at 9.3 CRITICAL using the CVSS v4.0 vector and surfaces it in each customer org's triage queue weighted against that org's active compliance policy. Routing rules direct the alert to the team or inbox configured for critical-severity findings in the affected environment.
AvailableNo fix version has been published upstream for guardian/language-system. HarborGuard re-checks the advisory on every ingest cycle and will make a patched-image rebuild available automatically the moment the upstream maintainer ships a remediated release. For customers with auto-remediation enabled, that rebuild will trigger a regression-test run and open a PR against affected workloads without manual intervention.
Pending upstreamExploit Conditions
- Network reachabilityRequired
The vulnerable endpoint is exposed over HTTP/HTTPS, so an attacker must be able to reach the web server across the network to send the malicious request.
- AuthenticationNot required
No credentials or session token of any kind are needed; the vulnerable translate_text.php endpoint is fully public.
- Victim interactionNot required
The attacker sends a single crafted GET request directly to the server; no user action or social engineering is involved.
- Attack complexityDetail
Exploitation is reliable and condition-free - appending shell metacharacters to the id parameter is sufficient without requiring timing, memory-layout knowledge, or any environmental pre-condition.
Blast Radius
- Reads any file readable by the web server process, including application credentials, database passwords, and stored session tokens.
- Writes or overwrites files on the server, including webshells or modified application code.
- Executes arbitrary system commands, enabling lateral movement to other services or hosts reachable from the server.
- Crashes or terminates running processes, causing service disruption for the hosted translation application.
How HarborGuard Handles This
Available on HarborGuard: this CVE is tracked continuously against all customer images containing guardian/language-system at the affected commit range. Because no upstream patch exists yet, the recommended immediate compensating controls are: apply a network policy that restricts inbound access to translate_text.php to trusted source IPs only; add a WAF or reverse-proxy rule that rejects GET parameters containing shell metacharacters (semicolons, pipes, backticks, dollar signs); and where possible, disable or gate the translate endpoint behind application-level authentication until a fix is available. HarborGuard re-evaluates the advisory on every ingest cycle. For customers with auto-remediation enabled, a patched-image rebuild, regression-test run, and PR against affected workloads will be initiated automatically as soon as the upstream maintainer publishes a remediated release.
- guardian / language-system≤ e42c395ec4b03fe62973a669c9209a673838b8a4
CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:N/VC:H/VI:H/VA:H/SC:N/SI:N/SA:N