Guardian's language-system contains a critical, unauthenticated OS command injection flaw that lets a remote attacker run arbitrary commands on the server via the id parameter in subtitles.php.
What Is It
CVE-2026-34106 is an OS command injection vulnerability (CWE-78) in the Guardian language-system application. In subtitles.php (line 19), the id GET parameter is passed directly into a PHP exec() call without sanitization:
exec("php jobs/subtitle_rendering.php ".$login_session." ".$_GET['id']." ...")
Because the parameter is not sanitized, an attacker can append shell metacharacters to id to execute arbitrary operating-system commands. No authentication is required to reach the vulnerable code path.
Why It Matters
The flaw is remotely exploitable over the network, requires no privileges and no user interaction, and has low attack complexity. It carries a CVSS 3.1 base score of 9.8 (CRITICAL) (vector AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H) and a CVSS 4.0 score of 9.3 (CRITICAL). Successful exploitation yields high impact to confidentiality, integrity, and availability; effectively total technical impact on the affected server. CISA's SSVC assessment rates the flaw as automatable with total technical impact, though it lists exploitation as "none" (no known active exploitation reported). No CISA KEV entry was supplied, so active exploitation is not confirmed by KEV.
What's Vulnerable
- Vendor: guardian
- Product: language-system
- Repository: https://github.com/guardian/language-system
- Affected versions: all commits up to and including git revision
e42c395ec4b03fe62973a669c9209a673838b8a4
The vulnerability was disclosed by VulnCheck ([email protected]) and published 2026-07-01.
Patch Status
The supplied source material does not specify a fixed version or an official patch. The affected range is defined only by the last-affected git commit (e42c395ec4b03fe62973a669c9209a673838b8a4). No CISA-mandated required action was provided. Operators should consult the VulnCheck advisory and the project repository for remediation guidance and restrict or sanitize input to the affected subtitles.php endpoint in the interim.