CVE-2026-34105

Guardian · language-system

The Guardian language-system contains an error-based SQL injection vulnerability in translate_text.php, allowing authenticated users to extract database contents via the 'id' GET parameter.

Executive summary

An authenticated SQL injection vulnerability in the Guardian language-system allows attackers to perform unauthorized database queries and data extraction.

Vulnerability

This is an error-based SQL injection vulnerability located in the translate_text.php file. An authenticated attacker can exploit this by passing malicious input through the unsanitized 'id' GET parameter.

Business impact

With a CVSS score of 9.8, this vulnerability poses a critical threat to the confidentiality of stored data. Successful exploitation could allow an attacker to bypass standard database access controls, leading to unauthorized data exfiltration and potential compromise of the entire backend repository.

Remediation

Immediate Action: Apply the latest security update released by Guardian for the language-system.

Proactive Monitoring: Monitor database query performance and logs for suspicious error patterns or unauthorized access attempts originating from authenticated sessions.

Compensating Controls: Deploy WAF rules designed to inspect and block malformed GET requests that contain SQL syntax, particularly those targeting the translate_text.php script.

Exploitation status

Public Exploit Available: Unknown

Analyst recommendation

Given the ease of exploitation and the severity of potential data loss, organizations must prioritize this update. Ensure that all authenticated accounts are monitored and that the patch is applied across all instances of the language-system immediately.