CVE-2026-34113

Guardian · Language-system

An unauthenticated command injection vulnerability exists in the speech_text.php file of the Guardian language-system due to improper sanitization of the id parameter.

Executive summary

An unauthenticated remote attacker can execute arbitrary OS commands on the Guardian language-system, potentially leading to a full system compromise.

Vulnerability

This is a command injection vulnerability occurring in speech_text.php where the id GET parameter is passed directly to a PHP exec() function. Because no authentication is required, any remote actor can supply malicious shell metacharacters to execute unauthorized OS commands.

Business impact

The CVSS score of 9.8 reflects the extreme risk posed by this vulnerability. Successful exploitation allows an attacker to gain full control over the underlying server, resulting in potential data theft, service disruption, and the establishment of a persistent backdoor within the corporate network.

Remediation

Immediate Action: Update the Guardian language-system to the latest vendor-supplied version immediately to patch the command injection vulnerability.

Proactive Monitoring: Review web server access logs for unusual GET requests containing shell metacharacters (e.g., ;, |, &&) targeting the speech_text.php endpoint.

Compensating Controls: Implement a Web Application Firewall (WAF) rule to inspect and block incoming requests containing shell command syntax in the id parameter.

Exploitation status

Public Exploit Available: False

Analyst recommendation

Given the critical severity and the lack of authentication requirements, this vulnerability presents an immediate threat to the confidentiality and integrity of your infrastructure. Organizations should prioritize patching the Guardian language-system as a matter of urgency to prevent unauthorized remote code execution.