CVE Catalog

CVE-2026-34103

CriticalCVSS 9.8
Published: Updated: Translated: NVD NIST

Exploitation Probability (EPSS)

Low risk
0.37%

29th percentile — higher than 29% of all known CVEs

Summary

An SQL injection vulnerability in the Guardian language-system allows an authenticated attacker to inject malicious SQL code via the 'id' parameter in subtitles.php. The lack of input sanitization enables error-based SQL injection to extract database contents.

Risk Assessment

An attacker can exfiltrate sensitive database contents, including user data and system configuration, leading to confidentiality and integrity breaches for the organization.

Recommendation

Immediately update Guardian language-system to the latest patched version and implement parameterized SQL queries or input validation for the 'id' parameter.

Original NVD description (English source)

Guardian language-system passes the id GET parameter directly into an unsanitized SQL query in subtitles.php (line 16): SELECT id, filename, extension, type FROM files where id = '\".$_GET['id'].\"'. An authenticated attacker can perform error-based SQL injection to extract database contents.

Vulnerability data from NVD (NIST) · CISA KEV · EPSS