SYS::ONLINE
Wasteland.
Briefs1077
Issues17
SinceFeb 2026
LIVE
⚡ Active KEV CVE-2026-34099 2026-07-01

CVE-2026-34099: Unauthenticated SQL Injection in Guardian language-system

"A critical, unauthenticated SQL injection flaw in Guardian's language-system lets remote attackers extract database contents through the `id` parameter of `job_info.php`."

A critical, unauthenticated SQL injection flaw in Guardian's language-system lets remote attackers extract database contents through the id parameter of job_info.php.

What Is It

CVE-2026-34099 is an error-based SQL injection vulnerability (CWE-89) in the Guardian language-system web application. The job_info.php script passes the id GET parameter directly into an unsanitized SQL query on line 16:

SELECT * FROM jobs where id = '".$_GET['id']."'

Because the input is concatenated into the query without sanitization or parameterization, an attacker can break out of the string context and inject arbitrary SQL. No authentication is required to reach the vulnerable code path.

Why It Matters

The flaw carries a CVSS 3.1 base score of 9.8 (CRITICAL): vector AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H, with a corresponding CVSS 4.0 score of 9.3. It is remotely exploitable over the network, requires low attack complexity, no privileges, and no user interaction. An unauthenticated attacker can use error-based injection to extract the database version, current user, schema names, and table contents. The high confidentiality, integrity, and availability impacts reflect full exposure of backend data to any remote party.

No CISA KEV entry was supplied for this CVE, so there is no confirmed record of active exploitation in the provided source material.

What's Vulnerable

The vulnerable component is the job_info.php script's handling of the id GET parameter.

Patch Status

The supplied source material does not identify a fixed version, patch, or specific vendor remediation guidance beyond the affected-version boundary. Operators of Guardian language-system should treat all listed versions as vulnerable and consult the VulnCheck advisory below for the latest remediation details. As a general precaution, restrict untrusted access to the application until a fix is confirmed.

Sources