A critical SQL injection flaw in Guardian's language-system lets an attacker inject arbitrary SQL through the id parameter of translate_text.php, exposing the backend database.
What Is It
CVE-2026-34105 is an SQL injection vulnerability (CWE-89) in the Guardian language-system web application. In translate_text.php (line 15), the id GET parameter is passed directly into an unsanitized SQL query:
SELECT id, filename, extension, type FROM files where id = '".$_GET['id']."'
Because the input is concatenated without sanitization, an attacker can perform error-based SQL injection to extract database contents. The flaw is exploitable without authentication: the CVSS vector specifies no privileges required (PR:N), and the VulnCheck advisory characterizes the injection as unauthenticated.
Why It Matters
NVD assigns a CVSS 3.1 base score of 9.8 (CRITICAL) with vector AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H, network-exploitable, low complexity, no privileges or user interaction required, with high confidentiality, integrity, and availability impact. A parallel CVSS 4.0 score of 9.3 (CRITICAL) is also provided. Successful exploitation allows extraction of database contents, exposing potentially sensitive stored data.
What's Vulnerable
- Vendor: guardian
- Product: language-system
- Repository: https://github.com/guardian/language-system
- Affected versions: all commits up to and including
e42c395ec4b03fe62973a669c9209a673838b8a4(git version type)
Patch Status
No CISA KEV entry was supplied for this CVE, so there is no evidence of confirmed active exploitation and no KEV-mandated remediation action in the provided data. The NVD record lists a vulnerability status of "Deferred" and includes a VulnCheck advisory but no fixed-version or patch reference in the supplied source material. Organizations running the affected code should consult the vendor repository and the VulnCheck advisory below for remediation guidance.