A critical, unauthenticated SQL injection flaw in Guardian's language-system lets remote attackers extract database contents through the id parameter of job_info.php.
What Is It
CVE-2026-34099 is an error-based SQL injection vulnerability (CWE-89) in the Guardian language-system web application. The job_info.php script passes the id GET parameter directly into an unsanitized SQL query on line 16:
SELECT * FROM jobs where id = '".$_GET['id']."'
Because the input is concatenated into the query without sanitization or parameterization, an attacker can break out of the string context and inject arbitrary SQL. No authentication is required to reach the vulnerable code path.
Why It Matters
The flaw carries a CVSS 3.1 base score of 9.8 (CRITICAL): vector AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H, with a corresponding CVSS 4.0 score of 9.3. It is remotely exploitable over the network, requires low attack complexity, no privileges, and no user interaction. An unauthenticated attacker can use error-based injection to extract the database version, current user, schema names, and table contents. The high confidentiality, integrity, and availability impacts reflect full exposure of backend data to any remote party.
No CISA KEV entry was supplied for this CVE, so there is no confirmed record of active exploitation in the provided source material.
What's Vulnerable
- Vendor: guardian
- Product: language-system
- Repository: https://github.com/guardian/language-system
- Affected versions: all versions up to and including git commit
e42c395ec4b03fe62973a669c9209a673838b8a4(default status: affected)
The vulnerable component is the job_info.php script's handling of the id GET parameter.
Patch Status
The supplied source material does not identify a fixed version, patch, or specific vendor remediation guidance beyond the affected-version boundary. Operators of Guardian language-system should treat all listed versions as vulnerable and consult the VulnCheck advisory below for the latest remediation details. As a general precaution, restrict untrusted access to the application until a fix is confirmed.
Sources
- NVD, CVE-2026-34099: https://nvd.nist.gov/vuln/detail/CVE-2026-34099
- VulnCheck Advisory; Guardian language-system unauthenticated SQL injection via id parameter in job_info.php: https://www.vulncheck.com/advisories/guardian-language-system-unauthenticated-sql-injection-via-id-parameter-in-job-info-php
- Disclosure gist (cyberinforepo): https://gist.github.com/cyberinforepo/d5b2771d82e1b31b8fc1c33052e08dad