CVE Catalog

CVE-2026-34105

CriticalCVSS 9.8
Published: Updated: Translated: NVD NIST

Exploitation Probability (EPSS)

Low risk
0.37%

29th percentile — higher than 29% of all known CVEs

Summary

An SQL injection vulnerability in the Guardian language-system component allows an authenticated attacker to inject malicious SQL code via the 'id' parameter in translate_text.php. Lack of input sanitization enables error-based SQL injection to extract database contents.

Risk Assessment

An attacker can exfiltrate sensitive database data, including credentials, file contents, or other confidential information, leading to a breach of confidentiality and system integrity.

Recommendation

Immediately update the Guardian language-system component to a version that fixes the 'id' parameter validation (e.g., by using prepared statements or parameterized queries). Until the update, manually sanitize input in translate_text.php.

Original NVD description (English source)

Guardian language-system passes the id GET parameter directly into an unsanitized SQL query in translate_text.php (line 15): SELECT id, filename, extension, type FROM files where id = '\".$_GET['id'].\"'. An authenticated attacker can perform error-based SQL injection to extract database contents.

Vulnerability data from NVD (NIST) · CISA KEV · EPSS