HarborGuardharborguardDatabase
Back to search
CRITICALCVE-2026-34115Published Modified CNA VulnCheck

CVE-2026-34115: Guardian Language-System Unauthenticated OS Command Injection via id Parameter in transcribe_amazon.php

Guardian language-system passes the id GET parameter directly into a PHP exec() call in transcribe_amazon.php (line 15) without sanitization: exec(\"php jobs/transcribe_amazon.php \".$login_session.\" \".$_GET['id'].\" ...\"). No authentication is required. An unauthenticated remote attacker can append shell metacharacters to execute arbitrary OS commands on the server.

Metrics

CVSS v4.0
9.3
Severity
CRITICAL
Fixed in
Affected Products
1

Get notified

Email me when this CVE is updated: new fix versions, severity changes, or any record change.

HarborGuard Analysis

Synopsis

An OS command injection vulnerability affects Guardian language-system, a PHP-based transcription management application. The id GET parameter in transcribe_amazon.php is passed directly to a PHP exec() call with no sanitization and no authentication check, meaning any network-reachable attacker can send a crafted HTTP request to run arbitrary shell commands on the server. Successful exploitation gives an attacker full OS-level command execution, enabling data theft, file modification, or complete server takeover. HarborGuard tracks this advisory for patch availability and will make a patched rebuild available the moment an upstream fix is published.

HarborGuard Coverage

Detection

Detection is available across every HarborGuard environment: the CVE is ingested from upstream feeds within minutes of publication and matched against customer images in registries and CI/CD pipelines, including custom-built images that bundle Guardian language-system at or below commit e42c395ec4b03fe62973a669c9209a673838b8a4.

Available
Triage

HarborGuard scores this finding at CVSS 9.3 Critical and weights it against each environment's compliance policy to determine escalation priority; findings at this severity are routed to the appropriate team inbox inside each customer organization automatically.

Available
Patch

No upstream fix has been published for this CVE. HarborGuard re-checks the advisory on every ingest cycle and will make a patched-image rebuild available the moment the upstream maintainer ships a remediated release. For customers with auto-remediation enabled, the rebuild, regression run, and PR against affected workloads will trigger automatically at that point.

Pending upstream

Exploit Conditions

  • Network reachabilityRequired

    The vulnerable endpoint is exposed over the network; an attacker must be able to send HTTP requests to the server running Guardian language-system.

  • AuthenticationNot required

    No credentials or session token are needed; the vulnerable transcribe_amazon.php script accepts unauthenticated GET requests.

  • Victim interactionNot required

    Exploitation requires no action from any user or administrator on the target system.

  • Attack complexityDetail

    The exploit is straightforward and condition-free; appending shell metacharacters to the id parameter is sufficient to inject commands with no race conditions or special environmental prerequisites.

Blast Radius

  • An attacker executes arbitrary OS commands under the web server process user, gaining an interactive shell or the ability to run any binary on the host.
  • All data accessible to the server process, including database credentials, stored session tokens, and user records managed by Guardian language-system, can be read and exfiltrated.
  • An attacker can write, overwrite, or delete files within the web root and any path the process user can access, corrupting application data or planting backdoors.
  • The web server process can be killed or the host rebooted, taking the transcription service offline.

How HarborGuard Handles This

Available on HarborGuard: images containing Guardian language-system are flagged Critical the moment this CVE enters the feed, which is typically within minutes of publication. Because no upstream fix exists yet, HarborGuard monitors the advisory on every ingest cycle and will make a patched-image rebuild available automatically once the maintainer publishes a remediated commit or release. In the meantime, customers can apply compensating controls through HarborGuard network policy: isolate the affected container from public ingress by adding an ingress-deny rule scoped to transcribe_amazon.php, apply egress filtering to prevent outbound shell callbacks, and where application architecture permits, gate the endpoint behind an authentication proxy at the infrastructure layer. For customers with auto-remediation enabled, the rebuild, regression test run, and PR against affected workloads will open automatically when the upstream fix is confirmed.

See how HarborGuard automates this
Affected packages
  • guardian / language-system
    ≤ e42c395ec4b03fe62973a669c9209a673838b8a4
CVSS Vector
CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:N/VC:H/VI:H/VA:H/SC:N/SI:N/SA:N