CVE-2026-34107

Guardian · language-system

An unauthenticated remote command injection vulnerability exists in the language-system translate.php script, allowing attackers to execute arbitrary OS commands via the id parameter.

Executive summary

Guardian language-system is vulnerable to critical unauthenticated remote code execution due to improper input sanitization in the translation module.

Vulnerability

This is a command injection vulnerability occurring in translate.php, where the id GET parameter is passed directly into a PHP exec() function. An unauthenticated attacker can supply shell metacharacters to execute arbitrary system commands with the privileges of the web server.

Business impact

The potential for unauthenticated remote code execution poses a catastrophic risk to organizational security, as it allows attackers to take full control of the underlying server. With a CVSS score of 9.8, this vulnerability could facilitate data exfiltration, lateral movement, or complete system compromise, leading to severe operational downtime and loss of intellectual property.

Remediation

Immediate Action: Apply the latest security update provided by Guardian to address the command injection flaw in translate.php.

Proactive Monitoring: Inspect web server access logs for suspicious GET requests containing shell metacharacters (e.g., ;, |, &, $) within the id parameter.

Compensating Controls: Deploy a Web Application Firewall (WAF) rule to inspect and block incoming requests that contain unexpected shell characters in URL parameters.

Exploitation status

Public Exploit Available: Unknown

Analyst recommendation

Given the critical nature of this remote code execution vulnerability, immediate patching is mandatory. Organizations should prioritize updating the Guardian language-system to the latest version to eliminate the injection vector and secure the application against unauthenticated adversaries.