SYS::ONLINE
Wasteland.
Briefs1077
Issues17
SinceFeb 2026
LIVE
⚡ Active KEV CVE-2026-34100 2026-07-01

CVE-2026-34100: Critical SQL Injection in Guardian language-system

"A critical SQL injection flaw in Guardian's language-system lets attackers extract database contents through the unsanitized `id` parameter in `media.php`, earning a CVSS 9.8 rating."

A critical SQL injection flaw in Guardian's language-system lets attackers extract database contents through the unsanitized id parameter in media.php, earning a CVSS 9.8 rating.

What Is It

CVE-2026-34100 is an error-based SQL injection vulnerability (CWE-89) in the Guardian language-system project. The application passes the id GET parameter directly into an unsanitized SQL query in media.php (line 17):

SELECT id, filename, extension, type, duration, owner, private FROM files where id = '".$_GET['id']."'

Because the input is concatenated into the query without sanitization, an attacker can inject SQL and perform error-based extraction of database contents.

Why It Matters

The vulnerability carries a CVSS 3.1 base score of 9.8 (CRITICAL) with vector AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H, network-reachable, low complexity, no user interaction, and high impact to confidentiality, integrity, and availability. A parallel CVSS 4.0 assessment scores it 9.3 (CRITICAL). CISA's SSVC evaluation flags the issue as automatable, with total technical impact and a proof-of-concept exploit maturity, meaning working exploit code is publicly referenced. Successful exploitation allows an attacker to read arbitrary data from the backend database.

Note: the CVE description characterizes the attacker as authenticated, while the CVSS vector lists privileges required as none; both are reproduced here as supplied.

What's Vulnerable

No specific vendor CPE ranges beyond this git commit boundary were provided in the source data.

Patch Status

The supplied source material does not include a CISA KEV entry for this CVE, so there is no confirmation of active exploitation in the provided data, and no CISA-mandated remediation deadline is present. The NVD record lists a vulnerability status of "Deferred." No fixed version or patch commit is specified in the supplied data; organizations running the affected code should sanitize or parameterize the id parameter and consult the vendor advisory below.

Sources