HarborGuardharborguardDatabase
Back to search
CRITICALCVE-2026-34117Published Modified CNA VulnCheck

CVE-2026-34117: Guardian Language-System Unauthenticated OS Command Injection via id Parameter in text_to_subtitles.php

Guardian language-system passes the id GET parameter directly into a PHP exec() call in text_to_subtitles.php (line 19) without sanitization: exec(\"php jobs/text_to_subtitles.php \".$login_session.\" \".$_GET['id'].\" ...\"). No authentication is required. An unauthenticated remote attacker can append shell metacharacters to execute arbitrary OS commands on the server.

Metrics

CVSS v4.0
9.3
Severity
CRITICAL
Fixed in
Affected Products
1

Get notified

Email me when this CVE is updated: new fix versions, severity changes, or any record change.

HarborGuard Analysis

Synopsis

An OS command injection vulnerability affects Guardian language-system (all commits through e42c395ec4b03fe62973a669c9209a673838b8a4). The flaw is reachable over the network with no authentication required: the id GET parameter in text_to_subtitles.php is passed directly into a PHP exec() call without any sanitization, letting an attacker append shell metacharacters to run arbitrary commands. Successful exploitation gives the attacker full OS command execution on the server, enabling file reads, writes, and persistence. No fix version has been published; HarborGuard tracks this advisory and will make a patched-image rebuild available the moment an upstream fix is released.

HarborGuard Coverage

Detection

Detection of CVE-2026-34117 is available across every HarborGuard environment: the CVE is ingested from upstream advisory feeds within minutes of publication and matched against all customer images, including custom-built images that bundle Guardian language-system. Any image whose Guardian language-system layer falls at or before commit e42c395ec4b03fe62973a669c9209a673838b8a4 is flagged automatically.

Available
Triage

Triage is available using the CVSS v4.0 base score of 9.3 (Critical), surfaced alongside each customer organization's compliance policy weighting to prioritize severity correctly for that environment. Findings are routed to the team inbox configured by each customer org so the right engineers see the alert without manual triage queuing.

Available
Patch

Because no upstream fix version has been published, HarborGuard re-checks the advisory on every ingest cycle and will make a patched-image rebuild available automatically the moment the upstream maintainer ships a fix. In the meantime, customers can apply compensating controls through HarborGuard network policy recommendations, described in the recommendation section.

Pending upstream

Exploit Conditions

  • Network reachabilityRequired

    The vulnerable endpoint is served over HTTP/HTTPS, so the attacker must be able to reach the application over the network.

  • AuthenticationNot required

    No account or session token is required; the vulnerable parameter is accessible to any anonymous HTTP request.

  • Victim interactionNot required

    The attacker sends a crafted GET request directly to the server; no user action or social engineering is involved.

  • Attack complexityDetail

    Exploitation is reliable and condition-free: appending shell metacharacters to the id parameter triggers exec() immediately with no race condition or environmental dependency.

Blast Radius

  • Attacker executes arbitrary OS commands as the web server process user, enabling reading of any file that process can access, including application secrets, credentials, and environment variables.
  • Attacker can write or overwrite files on disk, plant web shells, or modify application code to establish persistent access.
  • Attacker can crash or manipulate running processes on the host, disrupting service availability for users of the affected application.
  • All three confidentiality, integrity, and availability impacts are rated High in the CVSS v4.0 vector, meaning data disclosure, data tampering, and service disruption are all within reach of a single unauthenticated request.

How HarborGuard Handles This

Available on HarborGuard: because no upstream patch exists for CVE-2026-34117 as of publication, the platform monitors the Guardian language-system advisory on every ingest cycle and will surface a patched-image rebuild automatically when the maintainer ships a fix. For customers with auto-remediation enabled, the rebuild, regression test run, and PR against affected workloads will be initiated without manual intervention at that point. While no fix is available, HarborGuard supports compensating controls: network policy isolation can be used to restrict inbound access to text_to_subtitles.php at the ingress or service-mesh layer, limiting exposure to trusted sources only. Egress filtering rules can reduce the attacker's ability to exfiltrate data or download secondary payloads even if the endpoint is reached. Where compliance policy permits, feature-flag or route-level gating on the affected endpoint is a viable short-term mitigation. All of these compensating-control options are available within HarborGuard's policy configuration, and customers running affected images are encouraged to review their network policy posture now.

See how HarborGuard automates this
Affected packages
  • guardian / language-system
    ≤ e42c395ec4b03fe62973a669c9209a673838b8a4
CVSS Vector
CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:N/VC:H/VI:H/VA:H/SC:N/SI:N/SA:N