CVE-2026-34114
Received Received - Intake

Command Injection in Guardian Language-System

Vulnerability report for CVE-2026-34114, including description, CVSS score, EPSS score, affected products, exploitability, helpful resources, and attack-flow context.

Publication date: 2026-07-01

Last updated on: 2026-07-01

Assigner: VulnCheck

Description

Guardian language-system passes the id GET parameter directly into a PHP exec() call in translate_text.php (line 18) without sanitization: exec(\"php jobs/translate_text.php \".$login_session.\" \".$_GET['id'].\" ...\"). No authentication is required. An unauthenticated remote attacker can append shell metacharacters to execute arbitrary OS commands on the server.

CVSS Scores

EPSS Scores

Probability:
Percentile:

Meta Information

Published
2026-07-01
Last Modified
2026-07-01
Generated
2026-07-01
AI Q&A
2026-07-01
EPSS Evaluated
N/A
NVD
EUVD

Affected Vendors & Products

Showing 1 associated CPE
Vendor Product Version / Range
guardian language-system to e42c395 (exc)

Helpful Resources

Exploitability

CWE
CWE Icon
KEV
KEV Icon
CWE ID Description
CWE-78 The product constructs all or part of an OS command using externally-influenced input from an upstream component, but it does not neutralize or incorrectly neutralizes special elements that could modify the intended OS command when it is sent to a downstream component.

Attack-Flow Graph

AI Quick Actions

Instant insights powered by AI
Executive Summary

This vulnerability exists in the Guardian language-system's translate_text.php file, where the 'id' GET parameter is passed directly into a PHP exec() function call without any sanitization.

Because there is no authentication required and no input validation, an unauthenticated remote attacker can inject shell metacharacters through the 'id' parameter to execute arbitrary operating system commands on the server.

Impact Analysis

This vulnerability can have severe impacts because it allows an unauthenticated attacker to execute arbitrary OS commands on the server hosting the Guardian language-system.

  • Complete compromise of the server, including data theft or destruction.
  • Potential disruption of services provided by the language-system.
  • Unauthorized access to sensitive information or system resources.
Detection Guidance

This vulnerability can be detected by checking for unusual or unauthorized execution of commands on the server, especially those triggered by requests to translate_text.php with the 'id' GET parameter.

You can monitor web server logs for suspicious requests containing shell metacharacters in the 'id' parameter.

Additionally, you can use commands to detect if the vulnerable script is being exploited or if the system is compromised.

  • Use grep to find suspicious requests in web server logs: grep -E "id=.*[;&|`$()]" /var/log/apache2/access.log
  • Check for unexpected processes spawned by the web server user: ps aux | grep apache (or nginx)
  • Run a network monitoring tool like tcpdump or Wireshark to capture suspicious traffic targeting translate_text.php.
Mitigation Strategies

Immediate mitigation steps include restricting access to the vulnerable translate_text.php script and applying input validation or sanitization to the 'id' GET parameter.

Since no authentication is required, implementing authentication or access controls to prevent unauthenticated access is critical.

If possible, update or patch the Guardian language-system to a version that fixes this vulnerability.

  • Block or filter requests containing shell metacharacters in the 'id' parameter at the web server or firewall level.
  • Disable or restrict the use of the exec() function in PHP if not required.
  • Monitor logs continuously for exploitation attempts.

Chat Assistant

Ask questions about this CVE
Hi! I’m here to help you understand CVE-2026-34114. Ask me anything about the vulnerability, its impact, or mitigation strategies.
0/70

EPSS Chart