CVE-2026-34105
CriticalCVSS 9.8Exploitation Probability (EPSS)
Low risk29th percentile — higher than 29% of all known CVEs
Summary
An SQL injection vulnerability in the Guardian language-system component allows an authenticated attacker to inject malicious SQL code via the 'id' parameter in translate_text.php. Lack of input sanitization enables error-based SQL injection to extract database contents.
Risk Assessment
An attacker can exfiltrate sensitive database data, including credentials, file contents, or other confidential information, leading to a breach of confidentiality and system integrity.
Recommendation
Immediately update the Guardian language-system component to a version that fixes the 'id' parameter validation (e.g., by using prepared statements or parameterized queries). Until the update, manually sanitize input in translate_text.php.
Original NVD description (English source)
Guardian language-system passes the id GET parameter directly into an unsanitized SQL query in translate_text.php (line 15): SELECT id, filename, extension, type FROM files where id = '\".$_GET['id'].\"'. An authenticated attacker can perform error-based SQL injection to extract database contents.

