Guardian's language-system contains a critical unauthenticated OS command injection flaw that lets remote attackers run arbitrary commands on the server.
What Is It
CVE-2026-34108 is an OS command injection vulnerability (CWE-78) in the Guardian language-system. The application passes the id GET parameter directly into a PHP exec() call in text.php (line 15) without sanitization: exec("php jobs/text.php ".$login_session." ".$_GET['id']." ..."). Because the input is never validated, an attacker can append shell metacharacters to the id parameter and have them executed by the operating system. No authentication is required to reach the vulnerable code path.
Why It Matters
The flaw carries a CVSS 3.1 base score of 9.8 (CRITICAL) with vector AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H; the CVSS 4.0 secondary score is 9.3. It is remotely exploitable over the network, requires low attack complexity, needs no privileges, and no user interaction. Successful exploitation yields high impact to confidentiality, integrity, and availability; an unauthenticated remote attacker can execute arbitrary OS commands, effectively taking control of the affected server.
Note: No CISA KEV entry was supplied for this CVE, so active exploitation is not confirmed in the provided source material.
What's Vulnerable
- Vendor: guardian
- Product: language-system
- Repository: https://github.com/guardian/language-system
- Affected versions: all versions up to and including git commit
e42c395ec4b03fe62973a669c9209a673838b8a4(versionType: git)
The vulnerable code is in text.php, where the unsanitized id GET parameter flows into the exec() call.
Patch Status
The supplied NVD record lists the vulnerability as affecting versions through the referenced git commit and does not specify a fixed version or a separate required-action deadline. NVD vulnStatus is "Deferred." Refer to the vendor repository and the VulnCheck advisory below for remediation details.
Sources
- NVD, CVE-2026-34108: https://nvd.nist.gov/vuln/detail/CVE-2026-34108
- VulnCheck Advisory: https://www.vulncheck.com/advisories/guardian-language-system-unauthenticated-os-command-injection-via-id-parameter-in-text-php
- Reference gist: https://gist.github.com/cyberinforepo/d5b2771d82e1b31b8fc1c33052e08dad