Impact
Guardian Language-System performs a direct concatenation of the id GET parameter into a SQL query in media.php without any input sanitization. This flaw allows an attacker who can supply a crafted id value to trigger an error‑based SQL injection that may reveal database contents, thereby compromising the confidentiality of the system’s data. The weakness is classed as a classic CWE‑89 "SQL Injection" vulnerability.
Affected Systems
The vulnerability affects the Guardian Language-System web application. No specific product version information is listed in the advisory, so all installations of this system need to be assessed for the presence of media.php and its id handling.
Risk and Exploitability
The CVSS score of 9.3 indicates a high severity risk, and the vulnerability is considered exploitable because the application directly applies user input to a database query. The EPSS score is not available, and the vulnerability is not catalogued in CISA KEV. Likely exploitation would proceed over the web by accessing the media.php endpoint with a crafted id parameter. If the attacker can authenticate, they can extract sensitive data through the error messages produced.
OpenCVE Enrichment