SYS::ONLINE
Wasteland.
Briefs1077
Issues17
SinceFeb 2026
LIVE
⚡ Active KEV CVE-2026-34114 2026-07-01

CVE-2026-34114: Unauthenticated OS Command Injection in Guardian language-system

"Guardian's language-system contains a critical, unauthenticated OS command injection flaw that lets remote attackers run arbitrary commands on the server via a single unsanitized GET parameter."

Guardian's language-system contains a critical, unauthenticated OS command injection flaw that lets remote attackers run arbitrary commands on the server via a single unsanitized GET parameter.

What Is It

CVE-2026-34114 is an unauthenticated OS command injection vulnerability (CWE-78) in Guardian's language-system. The translate_text.php script (line 18) passes the id GET parameter directly into a PHP exec() call without sanitization:

exec("php jobs/translate_text.php ".$login_session." ".$_GET['id']." ...")

Because the input is never validated, an unauthenticated remote attacker can append shell metacharacters to the id parameter and execute arbitrary operating-system commands on the underlying server. No authentication is required.

Why It Matters

The vulnerability carries a CVSS 3.1 base score of 9.8 (CRITICAL) with vector CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H, and a CVSS 4.0 secondary score of 9.3 (CRITICAL). It is remotely exploitable over the network with low attack complexity, requires no privileges and no user interaction, and results in high confidentiality, integrity, and availability impact. Arbitrary command execution as the web service effectively hands an attacker control of the affected host.

What's Vulnerable

The vulnerable code path is the id GET parameter handled in translate_text.php.

Patch Status

The NVD record lists a vulnerability status of Deferred and does not identify a fixed version; affected coverage extends through the noted commit hash. No CISA KEV entry was supplied, so there is no confirmation of active exploitation and no KEV-mandated required action at this time. Organizations running Guardian language-system should treat this as critical and remediate by removing exposure and upgrading past the affected commit once a fix is available. Consult the vendor advisory below for guidance.

Sources