SYS::ONLINE
Wasteland.
Briefs1077
Issues17
SinceFeb 2026
LIVE
⚡ Active KEV CVE-2026-34108 2026-07-01

CVE-2026-34108: Unauthenticated OS Command Injection in Guardian language-system

"Guardian's language-system contains a critical unauthenticated OS command injection flaw that lets remote attackers run arbitrary commands on the server."

Guardian's language-system contains a critical unauthenticated OS command injection flaw that lets remote attackers run arbitrary commands on the server.

What Is It

CVE-2026-34108 is an OS command injection vulnerability (CWE-78) in the Guardian language-system. The application passes the id GET parameter directly into a PHP exec() call in text.php (line 15) without sanitization: exec("php jobs/text.php ".$login_session." ".$_GET['id']." ..."). Because the input is never validated, an attacker can append shell metacharacters to the id parameter and have them executed by the operating system. No authentication is required to reach the vulnerable code path.

Why It Matters

The flaw carries a CVSS 3.1 base score of 9.8 (CRITICAL) with vector AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H; the CVSS 4.0 secondary score is 9.3. It is remotely exploitable over the network, requires low attack complexity, needs no privileges, and no user interaction. Successful exploitation yields high impact to confidentiality, integrity, and availability; an unauthenticated remote attacker can execute arbitrary OS commands, effectively taking control of the affected server.

Note: No CISA KEV entry was supplied for this CVE, so active exploitation is not confirmed in the provided source material.

What's Vulnerable

The vulnerable code is in text.php, where the unsanitized id GET parameter flows into the exec() call.

Patch Status

The supplied NVD record lists the vulnerability as affecting versions through the referenced git commit and does not specify a fixed version or a separate required-action deadline. NVD vulnStatus is "Deferred." Refer to the vendor repository and the VulnCheck advisory below for remediation details.

Sources