CVE-2026-34099
CriticalCVSS 9.8Exploitation Probability (EPSS)
Low risk37th percentile — higher than 37% of all known CVEs
Summary
SQL Injection vulnerability in Guardian language-system allows an unauthenticated attacker to inject SQL code via the 'id' parameter in job_info.php. Lack of input sanitization enables reading sensitive database information.
Risk Assessment
The organization is at risk of data breach, including database version, usernames, schemas, and table contents, potentially compromising data confidentiality and integrity.
Recommendation
Immediately update Guardian language-system to the latest patched version. As a workaround, implement parameterized SQL queries or input validation for the 'id' parameter.
Original NVD description (English source)
Guardian language-system passes the id GET parameter directly into an unsanitized SQL query in job_info.php (line 16): SELECT * FROM jobs where id = '\".$_GET['id'].\"'. No authentication is required. An unauthenticated attacker can perform error-based SQL injection to extract the database version, current user, schema names, and table contents.

