Impact
Guardian language-system contains an OS command injection flaw where the id GET parameter is passed directly to a PHP exec() call. An attacker can inject shell metacharacters to run arbitrary operating‑system commands without any authentication. This vulnerability is a high‑severity CWE‑78 issue that can compromise confidentiality, integrity, and availability of the affected server.
Affected Systems
The flaw affects the Guardian language-system product. No specific affected versions were listed; any deployment of the language‑system that includes speechmac_text.php is potentially vulnerable.
Risk and Exploitability
The CVSS score of 9.3 reflects a critical risk level. The EPSS score is currently unavailable, but the lack of authentication requirement and the ability to run arbitrary commands make exploitation likely in a realistic threat scenario. The vulnerability is not yet listed in CISA’s KEV catalog, yet its impact warrants immediate attention.
OpenCVE Enrichment