CVE-2026-34105: Guardian Language-System Unauthenticated SQL Injection via id Parameter in translate_text.php
Guardian language-system passes the id GET parameter directly into an unsanitized SQL query in translate_text.php (line 15): SELECT id, filename, extension, type FROM files where id = '\".$_GET['id'].\"'. An authenticated attacker can perform error-based SQL injection to extract database contents.
Metrics
- CVSS v4.0
- 9.3
- Severity
- CRITICAL
- Fixed in
- —
- Affected Products
- 1
HarborGuard Analysis
Synopsis
An unauthenticated SQL injection vulnerability exists in Guardian language-system, a PHP-based file translation component. The id GET parameter in translate_text.php is passed directly into a SQL query without sanitization, allowing any network-accessible attacker with no credentials to inject arbitrary SQL. Successful exploitation gives the attacker full read and write access to the database and can crash the affected service. No fix version has been published yet; HarborGuard tracks this advisory and will make a patched rebuild available the moment an upstream fix is released.
HarborGuard Coverage
Detection for CVE-2026-34105 is available across every HarborGuard environment: the CVE is ingested from upstream feeds within minutes of publication and matched against all images in customer registries and CI pipelines, including custom-built images that bundle Guardian language-system at or below commit e42c395ec4b03fe62973a669c9209a673838b8a4.
AvailableHarborGuard scores this CVE at CVSS v4.0 9.3 (Critical) and weights it against each environment's compliance policy to determine urgency and routing, sending findings to the inbox or ticketing integration configured for the affected workload's owning team.
AvailableBecause no upstream fix has been published, HarborGuard re-checks the advisory each ingest cycle and will make a patched-image rebuild available automatically the moment a fix version appears. In the meantime, customers with auto-remediation enabled can apply compensating controls such as network-policy isolation around services that expose translate_text.php.
Pending upstreamExploit Conditions
- Network reachabilityRequired
The vulnerable translate_text.php endpoint must be reachable over the network; an attacker sends a crafted HTTP request from any internet or internal network position.
- AuthenticationNot required
No account or session token is needed; the injected parameter is processed before any authentication check. (Note: the description says 'authenticated attacker' but the CVSS vector specifies PR:N, meaning no privileges are required according to the authoritative score.)
- Victim interactionNot required
The attacker sends the malicious request directly to the server; no user action or social engineering is involved.
- Attack complexityDetail
Exploitation is reliable and condition-free; the parameter is passed unsanitized into the query with no mitigating controls or race conditions required.
Blast Radius
- Reads all database contents accessible to the application database user, including stored records, credentials, and session data.
- Modifies or deletes persisted database rows, enabling data tampering or destruction.
- Crashes the affected database service or application process through malformed query injection, causing a denial of service.
- Depending on database-user privileges, may write files to the server filesystem via SQL outfile techniques, expanding attacker control beyond the database.
How HarborGuard Handles This
Available on HarborGuard: CVE-2026-34105 is a Critical-severity (CVSS 9.3) SQL injection with no published fix as of 2026-07-01. HarborGuard monitors the upstream advisory and the Guardian language-system repository each ingest cycle; a patched-image rebuild will become available automatically as soon as a fix commit or tagged release is published. While no patch exists, customers can apply compensating controls at the infrastructure layer: use Kubernetes NetworkPolicy or an equivalent mesh policy to restrict inbound HTTP access to services that expose translate_text.php to only trusted sources; apply a web application firewall rule that blocks SQL metacharacters in the id query parameter; and consider feature-flag gating or temporary disablement of the translate_text.php endpoint if the functionality is non-essential. For customers who opt into auto-remediation, the rebuild, regression-test run, and PR-opening workflow will trigger automatically once an upstream fix is available, with no manual intervention required.
- guardian / language-system≤ e42c395ec4b03fe62973a669c9209a673838b8a4
CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:N/VC:H/VI:H/VA:H/SC:N/SI:N/SA:N