CVE-2026-34113
Guardian · Language-system
An unauthenticated command injection vulnerability exists in the speech_text.php file of the Guardian language-system due to improper sanitization of the id parameter.
Executive summary
An unauthenticated remote attacker can execute arbitrary OS commands on the Guardian language-system, potentially leading to a full system compromise.
Vulnerability
This is a command injection vulnerability occurring in speech_text.php where the id GET parameter is passed directly to a PHP exec() function. Because no authentication is required, any remote actor can supply malicious shell metacharacters to execute unauthorized OS commands.
Business impact
The CVSS score of 9.8 reflects the extreme risk posed by this vulnerability. Successful exploitation allows an attacker to gain full control over the underlying server, resulting in potential data theft, service disruption, and the establishment of a persistent backdoor within the corporate network.
Remediation
Immediate Action: Update the Guardian language-system to the latest vendor-supplied version immediately to patch the command injection vulnerability.
Proactive Monitoring: Review web server access logs for unusual GET requests containing shell metacharacters (e.g., ;, |, &&) targeting the speech_text.php endpoint.
Compensating Controls: Implement a Web Application Firewall (WAF) rule to inspect and block incoming requests containing shell command syntax in the id parameter.
Exploitation status
Public Exploit Available: False
Analyst recommendation
Given the critical severity and the lack of authentication requirements, this vulnerability presents an immediate threat to the confidentiality and integrity of your infrastructure. Organizations should prioritize patching the Guardian language-system as a matter of urgency to prevent unauthorized remote code execution.