CVE-2026-34117
Received Received - Intake

Command Injection in Guardian Language-System

Vulnerability report for CVE-2026-34117, including description, CVSS score, EPSS score, affected products, exploitability, helpful resources, and attack-flow context.

Publication date: 2026-07-01

Last updated on: 2026-07-01

Assigner: VulnCheck

Description

Guardian language-system passes the id GET parameter directly into a PHP exec() call in text_to_subtitles.php (line 19) without sanitization: exec(\"php jobs/text_to_subtitles.php \".$login_session.\" \".$_GET['id'].\" ...\"). No authentication is required. An unauthenticated remote attacker can append shell metacharacters to execute arbitrary OS commands on the server.

CVSS Scores

EPSS Scores

Probability:
Percentile:

Meta Information

Published
2026-07-01
Last Modified
2026-07-01
Generated
2026-07-01
AI Q&A
2026-07-01
EPSS Evaluated
N/A
NVD
EUVD

Affected Vendors & Products

Currently, no data is known.

Helpful Resources

Exploitability

CWE
CWE Icon
KEV
KEV Icon
CWE ID Description
CWE-78 The product constructs all or part of an OS command using externally-influenced input from an upstream component, but it does not neutralize or incorrectly neutralizes special elements that could modify the intended OS command when it is sent to a downstream component.

Attack-Flow Graph

AI Quick Actions

Instant insights powered by AI
Executive Summary

CVE-2026-34117 is an unauthenticated OS command injection vulnerability in the Guardian Language-System. It occurs because the 'id' GET parameter in the text_to_subtitles.php file is passed directly into a PHP exec() call without any sanitization or validation.

This means an attacker can append shell metacharacters to the 'id' parameter and execute arbitrary operating system commands on the server hosting the application.

Impact Analysis

This vulnerability allows an unauthenticated remote attacker to execute arbitrary OS commands on the server, which can lead to full system compromise.

  • Unauthorized access to sensitive data stored on the server.
  • Potential disruption or denial of service by executing malicious commands.
  • Installation of malware or backdoors, leading to persistent compromise.
  • Loss of control over the server environment and possible lateral movement within the network.
Detection Guidance

This vulnerability can be detected by testing the 'id' GET parameter in the text_to_subtitles.php file for command injection. Since the parameter is passed directly into a PHP exec() call without sanitization, sending specially crafted requests with shell metacharacters can reveal if arbitrary commands are executed.

  • Use curl or similar tools to send requests with payloads that include shell metacharacters, for example: curl "http://<target>/text_to_subtitles.php?id=1;id"
  • Monitor server responses or behavior for signs of command execution, such as output from injected commands.
  • Check server logs for unusual command execution or unexpected parameters passed to exec() calls.
Mitigation Strategies

Immediate mitigation steps include restricting access to the vulnerable script, applying input validation or sanitization to the 'id' GET parameter, and updating or patching the Guardian Language-System to a version that fixes this issue.

  • Restrict network access to the text_to_subtitles.php endpoint to trusted users only.
  • Implement input validation to reject or sanitize shell metacharacters in the 'id' parameter.
  • Apply any available patches or updates from the vendor addressing this vulnerability.
  • Monitor logs for suspicious activity related to this vulnerability.

Chat Assistant

Ask questions about this CVE
Hi! I’m here to help you understand CVE-2026-34117. Ask me anything about the vulnerability, its impact, or mitigation strategies.
0/70

EPSS Chart