CVE-2026-34117

Guardian · language-system

A critical OS command injection vulnerability exists in the text_to_subtitles.php script of the Guardian language-system, allowing unauthenticated remote code execution.

Executive summary

The Guardian language-system is vulnerable to an unauthenticated remote code execution flaw that permits attackers to execute arbitrary commands on the host server.

Vulnerability

The application fails to sanitize the id GET parameter before passing it to a PHP exec() call in text_to_subtitles.php. An unauthenticated remote attacker can inject shell metacharacters to execute unauthorized OS commands.

Business impact

The CVSS score of 9.8 underscores the severity of this flaw, which allows for full system compromise without requiring authentication. Business impacts include the loss of confidentiality, integrity, and availability of the affected system, as well as the potential for lateral movement into the broader internal network.

Remediation

Immediate Action: Apply the latest security update provided by Guardian to address the improper input sanitization in text_to_subtitles.php.

Proactive Monitoring: Review server logs for anomalous process execution or unexpected outbound network connections originating from the web server service account.

Compensating Controls: Utilize a WAF to filter and deny requests to text_to_subtitles.php that include malicious shell command sequences in the id parameter.

Exploitation status

Public Exploit Available: No

Analyst recommendation

Given the critical nature of this command injection vulnerability, immediate patching is required. Security teams should treat this as a high-priority incident until the vendor-supplied update is verified as installed across all affected instances.