HarborGuardharborguardDatabase
Back to search
CRITICALCVE-2026-34103Published Modified CNA VulnCheck

CVE-2026-34103: Guardian Language-System Unauthenticated SQL Injection via id Parameter in subtitles.php

Guardian language-system passes the id GET parameter directly into an unsanitized SQL query in subtitles.php (line 16): SELECT id, filename, extension, type FROM files where id = '\".$_GET['id'].\"'. An authenticated attacker can perform error-based SQL injection to extract database contents.

Metrics

CVSS v4.0
9.3
Severity
CRITICAL
Fixed in
Affected Products
1

Get notified

Email me when this CVE is updated: new fix versions, severity changes, or any record change.

HarborGuard Analysis

Synopsis

Unauthenticated SQL injection affects Guardian language-system, a PHP-based subtitle and file management application. The vulnerability is reachable over the network with no authentication required, as the id GET parameter in subtitles.php is passed directly into a raw SQL query without any sanitization. Successful exploitation gives an attacker full read and write access to the underlying database, and can disrupt service availability. No fix version has been published; HarborGuard tracks the advisory for patch availability.

HarborGuard Coverage

Detection

Detection is available across every HarborGuard environment: the CVE is ingested from upstream advisory feeds within minutes of publication and matched against customer images, including custom-built images that bundle Guardian language-system at any commit up to and including e42c395ec4b03fe62973a669c9209a673838b8a4. Images identified as affected are flagged immediately in the scan results for each registry and CI pipeline connected to the customer account.

Available
Triage

HarborGuard scores this finding at CVSS v4.0 9.3 (Critical) and weights it against each environment's compliance policy to determine routing priority. Triage alerts are directed to the appropriate team inbox within the customer organization based on configured ownership rules for the affected image or workload.

Available
Patch

Because no upstream fix has been published, HarborGuard re-checks the advisory on every ingest cycle and will make a patched-image rebuild available the moment a remediated version is released. In the interim, customers with auto-remediation enabled can apply compensating controls through HarborGuard's policy engine, such as network-policy isolation for containers running the affected image.

Pending upstream

Exploit Conditions

  • Network reachabilityRequired

    The vulnerable subtitles.php endpoint is exposed over the network, so an attacker must be able to reach the web service via HTTP to send a crafted id parameter.

  • AuthenticationNot required

    No credentials are needed; the vulnerable GET parameter is accessible to any unauthenticated request.

  • Victim interactionNot required

    The attacker sends a direct HTTP request to the server; no user action or social engineering is involved.

  • Attack complexityDetail

    Exploitation is reliable and condition-free: the injection point accepts unsanitized input without any prerequisites such as race conditions or specific memory layout requirements.

Blast Radius

  • Reads all data stored in the connected database, including file records, user credentials, and any other persisted application data.
  • Modifies or deletes database rows, allowing an attacker to tamper with stored content, corrupt application state, or remove records entirely.
  • Crashes or severely degrades the database-backed application by issuing destructive SQL statements, causing a denial of service for all users of the affected instance.
  • Depending on database server configuration, may leverage SQL features such as file read/write or out-of-band techniques to pivot further into the host environment.

How HarborGuard Handles This

Available on HarborGuard: because no upstream patch exists for this critical SQL injection, the platform monitors the advisory on every ingest cycle and will surface a patched-image rebuild automatically the moment the Guardian language-system maintainers publish a fix. Until then, customers are encouraged to use HarborGuard's network-policy controls to isolate containers running the affected image, blocking external HTTP access to the subtitles.php endpoint as a compensating control. Egress filtering can also be applied to limit out-of-band SQL injection channels such as DNS or HTTP callbacks. Teams with auto-remediation enabled will receive a rebuild, regression-test run, and a PR against affected workloads as soon as a fix version is available upstream. Where compliance policy permits immediate action on critical-severity findings, HarborGuard can enforce a policy gate that blocks promotion of the affected image to production registries until the CVE is resolved.

See how HarborGuard automates this
Affected packages
  • guardian / language-system
    ≤ e42c395ec4b03fe62973a669c9209a673838b8a4
CVSS Vector
CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:N/VC:H/VI:H/VA:H/SC:N/SI:N/SA:N