Guardian's language-system contains a critical, unauthenticated OS command injection flaw that lets remote attackers run arbitrary commands on the server via a single unsanitized GET parameter.
What Is It
CVE-2026-34114 is an unauthenticated OS command injection vulnerability (CWE-78) in Guardian's language-system. The translate_text.php script (line 18) passes the id GET parameter directly into a PHP exec() call without sanitization:
exec("php jobs/translate_text.php ".$login_session." ".$_GET['id']." ...")
Because the input is never validated, an unauthenticated remote attacker can append shell metacharacters to the id parameter and execute arbitrary operating-system commands on the underlying server. No authentication is required.
Why It Matters
The vulnerability carries a CVSS 3.1 base score of 9.8 (CRITICAL) with vector CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H, and a CVSS 4.0 secondary score of 9.3 (CRITICAL). It is remotely exploitable over the network with low attack complexity, requires no privileges and no user interaction, and results in high confidentiality, integrity, and availability impact. Arbitrary command execution as the web service effectively hands an attacker control of the affected host.
What's Vulnerable
- Vendor: guardian
- Product: language-system (repository:
https://github.com/guardian/language-system) - Affected versions: all versions up to and including git commit
e42c395ec4b03fe62973a669c9209a673838b8a4are marked affected.
The vulnerable code path is the id GET parameter handled in translate_text.php.
Patch Status
The NVD record lists a vulnerability status of Deferred and does not identify a fixed version; affected coverage extends through the noted commit hash. No CISA KEV entry was supplied, so there is no confirmation of active exploitation and no KEV-mandated required action at this time. Organizations running Guardian language-system should treat this as critical and remediate by removing exposure and upgrading past the affected commit once a fix is available. Consult the vendor advisory below for guidance.
Sources
- NVD, CVE-2026-34114 (record source: [email protected])
- VulnCheck Advisory: https://www.vulncheck.com/advisories/guardian-language-system-unauthenticated-os-command-injection-via-id-parameter-in-translate-text-php
- Reference gist: https://gist.github.com/cyberinforepo/d5b2771d82e1b31b8fc1c33052e08dad