CVE-2026-34102

Guardian · language-system

Guardian language-system contains an error-based SQL injection vulnerability in job_info_get.php, where the 'id' parameter is processed without proper sanitization.

Executive summary

An authenticated SQL injection vulnerability in the Guardian language-system enables attackers to compromise sensitive job information stored within the database.

Vulnerability

The 'id' GET parameter in job_info_get.php is passed directly to an unsanitized SQL query. This allows an authenticated attacker to perform error-based SQL injection to extract data from the 'jobs' table.

Business impact

The ability to perform SQL injection allows an attacker to query the database, potentially exposing proprietary job data or system-level information. With a CVSS score of 9.8, the severity is extreme, as it provides a direct path for attackers to gain unauthorized access to sensitive information, undermining the security posture of the entire application.

Remediation

Immediate Action: Update the Guardian language-system to the latest version as recommended by the vendor.

Proactive Monitoring: Monitor database query logs for unusual error patterns or unexpected query execution times originating from the 'job_info_get.php' script.

Compensating Controls: Implement input validation at the application level and utilize a WAF to filter malicious SQL injection strings in GET requests.

Exploitation status

Public Exploit Available: No

Analyst recommendation

Given the critical nature of SQL injection vulnerabilities, immediate action is required to patch the affected script. Security teams should ensure that all instances of the Guardian language-system are updated to the most current release to eliminate this attack vector.