Description
Guardian language-system fails to sanitize the id GET parameter before inserting it into multiple HTML form action attributes in text_file.php (lines 94, 101, 323, 403, 826, 852). An authenticated attacker can craft a URL that injects script tags executing in the victim's browser session.
Published: 2026-07-01
Score: 4.8 Medium
EPSS: n/a
KEV: No
Impact: n/a
Action: n/a
AI Analysis

Impact

An authenticated attacker can craft a URL containing script tags in the id parameter, which the application inserts directly into several HTML form action attributes without sanitization. This can cause arbitrary script execution in the victim’s browser session, potentially enabling session hijacking, credential theft, or further attacks. The vulnerability is an instance of improper input handling (CWE‑79).

Affected Systems

The vulnerability affects Guardian language‑system. No specific version information is provided in the advisory.

Risk and Exploitability

The CVSS score of 4.8 indicates moderate severity. The EPSS score is not available, so exploitation probability cannot be precisely quantified. The vulnerability is not listed in the CISA KEV catalog. Because the flaw requires authentication and an attacker can specify arbitrary script payloads, the likely attack vector is web‑based exploitation by a legitimate user account. Overall risk is moderate, but could be higher in environments where privileged accounts are used to abuse the vulnerability.

Generated by OpenCVE AI on July 1, 2026 at 18:10 UTC.

Remediation

No vendor fix or workaround currently provided.

OpenCVE Recommended Actions

  • Apply the vendor’s latest patch for Guardian language‑system that validates or encodes the id GET parameter before inserting it into HTML.
  • Restrict access to text_file.php to only the roles that truly need it, or block unauthenticated requests to that page.
  • Implement input sanitization or output encoding on the id parameter so that any embedded script tags are neutralized.

Generated by OpenCVE AI on July 1, 2026 at 18:10 UTC.

Tracking

Sign in to view the affected projects.

Advisories

No advisories yet.

History

Wed, 01 Jul 2026 18:30:00 +0000

Type Values Removed Values Added
Metrics ssvc

{'options': {'Automatable': 'no', 'Exploitation': 'poc', 'Technical Impact': 'partial'}, 'version': '2.0.3'}


Wed, 01 Jul 2026 16:30:00 +0000

Type Values Removed Values Added
Description Guardian language-system fails to sanitize the id GET parameter before inserting it into multiple HTML form action attributes in text_file.php (lines 94, 101, 323, 403, 826, 852). An authenticated attacker can craft a URL that injects script tags executing in the victim's browser session.
Title Guardian Language-System XSS via id Parameter in text_file.php
Weaknesses CWE-79
References
Metrics cvssV3_1

{'score': 4.6, 'vector': 'CVSS:3.1/AV:N/AC:L/PR:L/UI:R/S:U/C:L/I:L/A:N'}

cvssV4_0

{'score': 4.8, 'vector': 'CVSS:4.0/AV:N/AC:L/AT:N/PR:L/UI:A/VC:N/VI:N/VA:N/SC:L/SI:L/SA:N'}


Subscriptions

No data.

cve-icon MITRE

Status: PUBLISHED

Assigner: VulnCheck

Published:

Updated: 2026-07-01T17:34:31.927Z

Reserved: 2026-03-25T18:43:09.826Z

Link: CVE-2026-34097

cve-icon Vulnrichment

Updated: 2026-07-01T17:34:28.603Z

cve-icon NVD

No data.

cve-icon Redhat

No data.

cve-icon OpenCVE Enrichment

Updated: 2026-07-01T18:15:15Z

Weaknesses
  • CWE-79

    Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting')