External risk intelligence

Guardian Language System Unauthenticated OS Command Injection

CVE advisorySeverity: CRITICAL (CVSS 9.3)

CVE-2026-34113

The vulnerability exists in a web application script (speech_text.php) accessible via a GET parameter. As a web-based endpoint that processes user input without authentication, this component is commonly deployed as an internet-facing service.

OS Command Injection

Halo Surface Signal: 4 out of 5 — likely to be public-facing.

External exposure likelihood

Horizon Alert

Summary of the vulnerability and why it matters

A critical vulnerability has been identified in a language processing component of the Guardian system, allowing unauthenticated attackers to execute arbitrary operating system commands. This issue stems from the system's direct use of a GET parameter in a PHP command without proper validation, posing a significant risk to server security. The main concern is confirming the relevance and exposure of this technology within our environment.

  • Unauthenticated attackers can run commands on servers.
  • This impacts systems processing speech to text.
  • Confirm relevance and exposure of affected systems.

Attack Path

How an attacker could exploit the issue

An attacker can exploit this vulnerability by sending a specially crafted request to the `speech_text.php` script. This script, located in the Guardian language-system, processes a GET parameter named `id` without proper validation. By appending shell metacharacters to this parameter, an attacker can trick the `exec()` function into running arbitrary operating system commands on the server.

  • No authentication required for access.
  • `id` GET parameter triggers command execution.
  • Arbitrary OS command execution possible.

Live Threat

Current exploitation, exposure, and threat context

An unauthenticated remote attacker could execute arbitrary operating system commands on the server by appending shell metacharacters to the `id` GET parameter in `speech_text.php`, when supported by the advisory. This occurs because the `id` parameter is passed directly to a PHP `exec()` call without sanitization.

  • Arbitrary OS commands on the server.
  • Appending shell metacharacters to `id` parameter.
  • Unauthenticated remote command execution.

Operational Fix

Recommended remediation, mitigation, and detection steps

This vulnerability in Guardian language-system's speech processing component allows unauthenticated remote attackers to execute arbitrary OS commands. Infrastructure or platform teams are likely responsible for the affected PHP application, with the security team needing to confirm exposure and critical business impact. The first practical step is to identify all instances of the Guardian language-system, assess their external reachability, and determine their criticality to business operations before planning remediation.

  • Identify accountable application or platform owner.
  • Verify external reachability and business criticality.
  • Plan remediation based on verified risk.

Supplementary metadata

Validate whether this threat affects your internet-facing exposure.

Halo Threat Intelligence helps prioritize remediation with Halo Surface Signal and H/A/L/O context. Start exposure validation with a free external attack surface trial.

Frequently asked questions

What is the Guardian language-system?

The Guardian language-system is a software component designed to process audio and speech data into text. It is typically integrated into web applications to provide automated transcription or language analysis services. Because it handles media processing requests, it often relies on server-side PHP scripts to interact with underlying operating system functions to complete these language-based tasks.

What does CWE-78 mean for CVE-2026-34113?

CWE-78 refers to OS Command Injection. In the context of this CVE, it means the application fails to properly clean user-provided input before using it to run system-level commands. Because the system takes the 'id' parameter directly from a web request and inserts it into an 'exec()' function, an attacker can manipulate this input to trick the server into running unauthorized commands instead of the intended file processing task.

How is this command injection triggered?

The vulnerability is triggered when an attacker sends a web request containing specially crafted shell metacharacters within the 'id' GET parameter of the 'speech_text.php' script. Simply accessing the script without these malicious characters does not trigger the execution of unintended commands. The flaw specifically relies on the script's lack of input sanitization when passing that specific parameter to the server's command-line interface.

Is my system at risk according to Halo Surface Signal?

Halo Surface Signal indicates that because this vulnerability exists in a web-accessible script that requires no authentication, it is highly relevant for any internet-facing deployment. Systems running this component that are reachable from the public internet are considered at increased risk. You should evaluate whether your specific instances of the Guardian language-system are exposed externally or protected within your internal network.

What should I do if I run Guardian language-system?

Start by identifying all servers or platforms where the Guardian language-system is deployed and determine who is responsible for managing those specific applications. Once identified, verify if these systems are accessible from the internet. Prioritize assessing the business criticality of these instances and coordinate with your platform owners to evaluate and apply the necessary security updates or configuration changes to neutralize this entry point.

References