SYS::ONLINE
Wasteland.
Briefs1077
Issues17
SinceFeb 2026
LIVE
⚡ Active KEV CVE-2026-34106 2026-07-01

CVE-2026-34106: Unauthenticated OS Command Injection in Guardian language-system

"Guardian's language-system contains a critical, unauthenticated OS command injection flaw that lets a remote attacker run arbitrary commands on the server via the `id` parameter in `subtitles.php`."

Guardian's language-system contains a critical, unauthenticated OS command injection flaw that lets a remote attacker run arbitrary commands on the server via the id parameter in subtitles.php.

What Is It

CVE-2026-34106 is an OS command injection vulnerability (CWE-78) in the Guardian language-system application. In subtitles.php (line 19), the id GET parameter is passed directly into a PHP exec() call without sanitization:

exec("php jobs/subtitle_rendering.php ".$login_session." ".$_GET['id']." ...")

Because the parameter is not sanitized, an attacker can append shell metacharacters to id to execute arbitrary operating-system commands. No authentication is required to reach the vulnerable code path.

Why It Matters

The flaw is remotely exploitable over the network, requires no privileges and no user interaction, and has low attack complexity. It carries a CVSS 3.1 base score of 9.8 (CRITICAL) (vector AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H) and a CVSS 4.0 score of 9.3 (CRITICAL). Successful exploitation yields high impact to confidentiality, integrity, and availability; effectively total technical impact on the affected server. CISA's SSVC assessment rates the flaw as automatable with total technical impact, though it lists exploitation as "none" (no known active exploitation reported). No CISA KEV entry was supplied, so active exploitation is not confirmed by KEV.

What's Vulnerable

The vulnerability was disclosed by VulnCheck ([email protected]) and published 2026-07-01.

Patch Status

The supplied source material does not specify a fixed version or an official patch. The affected range is defined only by the last-affected git commit (e42c395ec4b03fe62973a669c9209a673838b8a4). No CISA-mandated required action was provided. Operators should consult the VulnCheck advisory and the project repository for remediation guidance and restrict or sanitize input to the affected subtitles.php endpoint in the interim.

Sources