CVE-2026-34104
CriticalCVSS 9.8Exploitation Probability (EPSS)
Low risk29th percentile — higher than 29% of all known CVEs
Summary
An SQL injection vulnerability in Guardian language-system allows an authenticated attacker to inject malicious SQL code via the 'name' GET parameter in designer.php. Unsanitized input enables arbitrary SQL queries and extraction of database contents.
Risk Assessment
An attacker can access sensitive data stored in the database, such as passwords, user data, or system configuration, leading to confidentiality and integrity breaches.
Recommendation
Immediately update Guardian language-system to the latest patched version. If unavailable, use parameterized SQL queries or input validation for the 'name' parameter.
Original NVD description (English source)
Guardian language-system passes the name GET parameter directly into an unsanitized SQL query in designer.php (line 124): SELECT * FROM complex WHERE name='\".$_GET['name'].\"'. An authenticated attacker can perform error-based SQL injection to extract database contents.

