CVE-2026-34106
Received Received - Intake

Command Injection in Guardian Language-System

Vulnerability report for CVE-2026-34106, including description, CVSS score, EPSS score, affected products, exploitability, helpful resources, and attack-flow context.

Publication date: 2026-07-01

Last updated on: 2026-07-01

Assigner: VulnCheck

Description

Guardian language-system passes the id GET parameter directly into a PHP exec() call in subtitles.php (line 19) without sanitization: exec(\"php jobs/subtitle_rendering.php \".$login_session.\" \".$_GET['id'].\" ...\"). No authentication is required. An unauthenticated remote attacker can append shell metacharacters to the id parameter to execute arbitrary OS commands on the server.

CVSS Scores

EPSS Scores

Probability:
Percentile:

Meta Information

Published
2026-07-01
Last Modified
2026-07-01
Generated
2026-07-01
AI Q&A
2026-07-01
EPSS Evaluated
N/A
NVD
EUVD

Affected Vendors & Products

Currently, no data is known.

Helpful Resources

Exploitability

CWE
CWE Icon
KEV
KEV Icon
CWE ID Description
CWE-78 The product constructs all or part of an OS command using externally-influenced input from an upstream component, but it does not neutralize or incorrectly neutralizes special elements that could modify the intended OS command when it is sent to a downstream component.

Attack-Flow Graph

AI Quick Actions

Instant insights powered by AI
Executive Summary

CVE-2026-34106 is an unauthenticated OS command injection vulnerability in the Guardian Language-System, specifically in the subtitles.php file.

The vulnerability occurs because the 'id' GET parameter is passed directly into a PHP exec() call without any sanitization or validation.

This allows a remote attacker to append shell metacharacters to the 'id' parameter and execute arbitrary operating system commands on the server.

No authentication is required to exploit this vulnerability, making it highly critical.

Impact Analysis

This vulnerability can have severe impacts including unauthorized remote code execution on the affected server.

An attacker could execute arbitrary OS commands, potentially leading to full system compromise, data theft, data loss, or disruption of services.

Since no authentication is required, any remote attacker can exploit this flaw, increasing the risk of widespread attacks.

Detection Guidance

This vulnerability can be detected by checking for the presence of the vulnerable subtitles.php file and testing the 'id' GET parameter for command injection. Since the 'id' parameter is passed directly to a PHP exec() call without sanitization, sending specially crafted requests with shell metacharacters can reveal if arbitrary commands are executed.

A possible detection method is to send HTTP requests to subtitles.php with the 'id' parameter containing shell metacharacters and observe the server's response or side effects.

  • Example curl command to test for command injection: curl "http://<target>/subtitles.php?id=1;id"
  • If the server executes the 'id' command, the response may include system user information, indicating the vulnerability.
Mitigation Strategies

Immediate mitigation steps include restricting access to the vulnerable subtitles.php file and disabling or filtering the 'id' GET parameter to prevent injection of shell metacharacters.

Applying input validation and sanitization on the 'id' parameter to ensure it does not contain any shell metacharacters is critical.

If possible, update the Guardian Language-System to a version that has fixed this vulnerability or apply patches provided by the vendor.

As a temporary measure, consider implementing web application firewall (WAF) rules to block suspicious requests targeting the 'id' parameter in subtitles.php.

Chat Assistant

Ask questions about this CVE
Hi! I’m here to help you understand CVE-2026-34106. Ask me anything about the vulnerability, its impact, or mitigation strategies.
0/70

EPSS Chart