CVE-2026-34101
CriticalCVSS 9.8Exploitation Probability (EPSS)
Low risk29th percentile — higher than 29% of all known CVEs
Summary
SQL Injection vulnerability in Guardian language-system allows an authenticated attacker to inject SQL code via the id parameter in text_file.php. Unsanitized input enables extraction of database contents.
Risk Assessment
An attacker can exfiltrate sensitive database information, including user data and content, leading to confidentiality and integrity breaches.
Recommendation
Immediately update Guardian language-system to the latest patched version. As a workaround, use parameterized SQL queries or input validation for the id parameter.
Original NVD description (English source)
Guardian language-system passes the id GET parameter directly into an unsanitized SQL query in text_file.php (line 17): SELECT id, filename, extension, type, duration, owner, private FROM files where id = '\".$_GET['id'].\"'. An authenticated attacker can perform error-based SQL injection to extract database contents.

