CVE Catalog

CVE-2026-34098

MediumCVSS 4.6
Published: Updated: Translated: NVD NIST

Exploitation Probability (EPSS)

Low risk
0.15%

4th percentile — higher than 4% of all known CVEs

Summary

The vulnerability in the Guardian language-system fails to sanitize the 'id' GET parameter before inserting it into HTML source and form action attributes in media.php (lines 119, 129). An authenticated attacker can craft a URL that injects script tags executing in the victim's browser session.

Risk Assessment

The risk includes arbitrary JavaScript execution in the victim's browser, potentially leading to session theft, account takeover, or sensitive data leakage.

Recommendation

Immediately update the Guardian language-system to the latest patched version and implement input validation and sanitization for all GET parameters before using them in HTML context.

Original NVD description (English source)

Guardian language-system fails to sanitize the id GET parameter before inserting it into HTML source and form action attributes in media.php (lines 119, 129). An authenticated attacker can craft a URL that injects script tags executing in the victim's browser session.

Vulnerability data from NVD (NIST) · CISA KEV · EPSS