CVE Catalog

CVE-2026-34100

CriticalCVSS 9.8
Published: Updated: Translated: NVD NIST

Exploitation Probability (EPSS)

Low risk
0.37%

29th percentile — higher than 29% of all known CVEs

Summary

An SQL injection vulnerability in the Guardian language-system allows an authenticated attacker to inject malicious SQL code via the id parameter in media.php. Lack of input sanitization enables error-based extraction of database contents.

Risk Assessment

The organization is at risk of sensitive data leakage from the database, including user data and files. An attacker can gain unauthorized access to information, potentially compromising system confidentiality and integrity.

Recommendation

Immediately update Guardian language-system to the latest patched version. If unavailable, use parameterized SQL queries or input validation for the id parameter in media.php.

Original NVD description (English source)

Guardian language-system passes the id GET parameter directly into an unsanitized SQL query in media.php (line 17): SELECT id, filename, extension, type, duration, owner, private FROM files where id = '\".$_GET['id'].\"'. An authenticated attacker can perform error-based SQL injection to extract database contents.

Vulnerability data from NVD (NIST) · CISA KEV · EPSS