Description
Guardian language-system passes the id GET parameter directly into a PHP exec() call in transcribe_amazon.php (line 15) without sanitization: exec(\"php jobs/transcribe_amazon.php \".$login_session.\" \".$_GET['id'].\" ...\"). No authentication is required. An unauthenticated remote attacker can append shell metacharacters to execute arbitrary OS commands on the server.
Published: 2026-07-01
Score: 9.3 Critical
EPSS: < 1% Very Low
KEV: No
Impact: n/a
Action: n/a
AI Analysis

Impact

Guardian Language‑System contains a transcribe_amazon.php script that concatenates the id GET parameter directly into a PHP exec() call without any input validation or sanitization. Because the code paths required to reach this call are not protected by authentication, an attacker can supply shell metacharacters in the id value and cause the underlying operating system to execute arbitrary commands. The weakness exemplifies CWE‑78, where unsanitized data is passed to an OS command, resulting in remote code execution and full compromise of the web server process. The impact is the ability to run any command as the web‑server user, giving the attacker potential to install malware, exfiltrate data, or pivot to other internal hosts.

Affected Systems

All deployments of Guardian Language‑System that expose the transcribe_amazon.php module to the public internet are potentially vulnerable. The advisory does not list specific product versions, so any instance where the script is present and reachable remains at risk until a vendor patch is applied.

Risk and Exploitability

An unauthenticated attacker can exploit the flaw by sending a crafted HTTP request that includes shell metacharacters in the id parameter. The lack of authentication and input validation makes the attack trivial and non‑privileged, with the attacker’s payload being executed directly by the OS. The CVSS score of 9.3 reflects the high impact and attack ease. The EPSS score is not available and the vulnerability is not listed in the CISA KEV catalog, indicating no publicly documented exploitation yet, but the risk remains high due to the critical nature of uncontrolled OS command execution.

Generated by OpenCVE AI on July 2, 2026 at 13:17 UTC.

Remediation

No vendor fix or workaround currently provided.

OpenCVE Recommended Actions

  • Apply the vendor‑issued patch that removes or sanitizes the unsanitized exec() call in transcribe_amazon.php.
  • Restrict public access to transcribe_amazon.php by requiring authentication or moving the script behind a protected network boundary.
  • If a patch is unavailable, sanitize the id GET parameter so that any shell metacharacters are escaped or validated before being passed to exec().

Generated by OpenCVE AI on July 2, 2026 at 13:17 UTC.

Tracking

Sign in to view the affected projects.

Advisories

No advisories yet.

History

Wed, 01 Jul 2026 19:30:00 +0000

Type Values Removed Values Added
Metrics ssvc

{'options': {'Automatable': 'yes', 'Exploitation': 'poc', 'Technical Impact': 'total'}, 'version': '2.0.3'}


Wed, 01 Jul 2026 17:15:00 +0000

Type Values Removed Values Added
Description Guardian language-system passes the id GET parameter directly into a PHP exec() call in transcribe_amazon.php (line 15) without sanitization: exec(\"php jobs/transcribe_amazon.php \".$login_session.\" \".$_GET['id'].\" ...\"). No authentication is required. An unauthenticated remote attacker can append shell metacharacters to execute arbitrary OS commands on the server.
Title Guardian Language-System Unauthenticated OS Command Injection via id Parameter in transcribe_amazon.php
Weaknesses CWE-78
References
Metrics cvssV3_1

{'score': 9.8, 'vector': 'CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H'}

cvssV4_0

{'score': 9.3, 'vector': 'CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:N/VC:H/VI:H/VA:H/SC:N/SI:N/SA:N'}


Subscriptions

No data.

cve-icon MITRE

Status: PUBLISHED

Assigner: VulnCheck

Published:

Updated: 2026-07-01T17:45:01.869Z

Reserved: 2026-03-25T18:43:09.828Z

Link: CVE-2026-34115

cve-icon Vulnrichment

Updated: 2026-07-01T17:44:43.331Z

cve-icon NVD

No data.

cve-icon Redhat

No data.

cve-icon OpenCVE Enrichment

Updated: 2026-07-02T13:30:05Z

Weaknesses
  • CWE-78

    Improper Neutralization of Special Elements used in an OS Command ('OS Command Injection')