CVE Catalog

CVE-2026-34104

CriticalCVSS 9.8
Published: Updated: Translated: NVD NIST

Exploitation Probability (EPSS)

Low risk
0.37%

29th percentile — higher than 29% of all known CVEs

Summary

An SQL injection vulnerability in Guardian language-system allows an authenticated attacker to inject malicious SQL code via the 'name' GET parameter in designer.php. Unsanitized input enables arbitrary SQL queries and extraction of database contents.

Risk Assessment

An attacker can access sensitive data stored in the database, such as passwords, user data, or system configuration, leading to confidentiality and integrity breaches.

Recommendation

Immediately update Guardian language-system to the latest patched version. If unavailable, use parameterized SQL queries or input validation for the 'name' parameter.

Original NVD description (English source)

Guardian language-system passes the name GET parameter directly into an unsanitized SQL query in designer.php (line 124): SELECT * FROM complex WHERE name='\".$_GET['name'].\"'. An authenticated attacker can perform error-based SQL injection to extract database contents.

Vulnerability data from NVD (NIST) · CISA KEV · EPSS