A critical SQL injection flaw in Guardian's language-system lets attackers extract database contents through the unsanitized id parameter in media.php, earning a CVSS 9.8 rating.
What Is It
CVE-2026-34100 is an error-based SQL injection vulnerability (CWE-89) in the Guardian language-system project. The application passes the id GET parameter directly into an unsanitized SQL query in media.php (line 17):
SELECT id, filename, extension, type, duration, owner, private FROM files where id = '".$_GET['id']."'
Because the input is concatenated into the query without sanitization, an attacker can inject SQL and perform error-based extraction of database contents.
Why It Matters
The vulnerability carries a CVSS 3.1 base score of 9.8 (CRITICAL) with vector AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H, network-reachable, low complexity, no user interaction, and high impact to confidentiality, integrity, and availability. A parallel CVSS 4.0 assessment scores it 9.3 (CRITICAL). CISA's SSVC evaluation flags the issue as automatable, with total technical impact and a proof-of-concept exploit maturity, meaning working exploit code is publicly referenced. Successful exploitation allows an attacker to read arbitrary data from the backend database.
Note: the CVE description characterizes the attacker as authenticated, while the CVSS vector lists privileges required as none; both are reproduced here as supplied.
What's Vulnerable
- Vendor: guardian
- Product: language-system
- Repository: https://github.com/guardian/language-system
- Affected versions: all versions up to and including git commit
e42c395ec4b03fe62973a669c9209a673838b8a4
No specific vendor CPE ranges beyond this git commit boundary were provided in the source data.
Patch Status
The supplied source material does not include a CISA KEV entry for this CVE, so there is no confirmation of active exploitation in the provided data, and no CISA-mandated remediation deadline is present. The NVD record lists a vulnerability status of "Deferred." No fixed version or patch commit is specified in the supplied data; organizations running the affected code should sanitize or parameterize the id parameter and consult the vendor advisory below.
Sources
- NVD, CVE-2026-34100: https://nvd.nist.gov/vuln/detail/CVE-2026-34100
- VulnCheck Advisory; Guardian language-system SQL Injection via id parameter in media.php: https://www.vulncheck.com/advisories/guardian-language-system-unauthenticated-sql-injection-via-id-parameter-in-media-php
- Proof-of-concept reference (GitHub Gist): https://gist.github.com/cyberinforepo/d5b2771d82e1b31b8fc1c33052e08dad