CVE-2026-34098
MediumCVSS 4.6Exploitation Probability (EPSS)
Low risk4th percentile — higher than 4% of all known CVEs
Summary
The vulnerability in the Guardian language-system fails to sanitize the 'id' GET parameter before inserting it into HTML source and form action attributes in media.php (lines 119, 129). An authenticated attacker can craft a URL that injects script tags executing in the victim's browser session.
Risk Assessment
The risk includes arbitrary JavaScript execution in the victim's browser, potentially leading to session theft, account takeover, or sensitive data leakage.
Recommendation
Immediately update the Guardian language-system to the latest patched version and implement input validation and sanitization for all GET parameters before using them in HTML context.
Original NVD description (English source)
Guardian language-system fails to sanitize the id GET parameter before inserting it into HTML source and form action attributes in media.php (lines 119, 129). An authenticated attacker can craft a URL that injects script tags executing in the victim's browser session.

