Impact
The Guardian language-system module contains an unchecked use of the id GET parameter in a PHP exec() call. Because the value is concatenated directly into a shell command without validation, an attacker can craft the parameter with shell metacharacters to run arbitrary commands on the server. If exploited, the attacker gains full remote code execution capability, bypassing authentication and compromising confidentiality, integrity, and availability of the system.
Affected Systems
The vulnerability affects the Guardian Language‑System component. All installations that expose the vulnerable text.php endpoint are susceptible; product and version details are not specified in the data, so administrators should verify whether their deployment includes this module and whether the id parameter is exposed.
Risk and Exploitability
The CVSS score of 9.3 indicates a critical level of severity, and the absence of a KEV listing does not reduce the risk, as the flaw permits unauthenticated remote code execution. Because the attack can be performed over the web without authentication, the potential for exploitation is high. No additional exploit prerequisites are stated, so any client able to send a crafted HTTP GET request may trigger the vulnerability.
OpenCVE Enrichment