Description
Guardian language-system fails to sanitize the id GET parameter before inserting it into HTML source and form action attributes in media.php (lines 119, 129). An authenticated attacker can craft a URL that injects script tags executing in the victim's browser session.
Published: 2026-07-01
Score: 4.8 Medium
EPSS: < 1% Very Low
KEV: No
Impact: n/a
Action: n/a
AI Analysis

Impact

Guardian language‑system has a reflected cross‑site scripting flaw where the id GET parameter is placed directly into HTML source and form action attributes of media.php. An attacker who is logged in can craft a URL containing script tags. When the victim visits the URL, the script runs in the browser session, allowing cookie theft or execution of arbitrary client‑side actions on behalf of the logged‑in user. This weakness is identified as CWE‑79.

Affected Systems

The product in question is Guardian language‑system. The CVE description does not provide a version range, so any build that contains media.php without proper input sanitization may be affected. It is not known whether recent releases have fixed the issue; we infer that newer versions may or may not address the flaw, and that absence of explicit version data makes it uncertain.

Risk and Exploitability

The CVSS score of 4.8 indicates moderate severity; the score does not reflect a high impact but still provides potential for credential‑based abuse. EPSS data is unavailable, and the vulnerability is not tracked by CISA KEV, suggesting there is no known widespread exploitation. The flaw requires that the attacker be authenticated to the system; the attacker can trigger the exploit simply by visiting a malicious URL after login. Consequently, the risk is elevated only if user credentials are compromised or misused, and no public exploits have been reported at this time.

Generated by OpenCVE AI on July 2, 2026 at 15:50 UTC.

Remediation

No vendor fix or workaround currently provided.

OpenCVE Recommended Actions

  • Apply any vendor‑released patch or upgrade to a version where the id parameter is properly sanitized before being inserted into the page.
  • On the application side, implement server‑side validation and output encoding for the id parameter, ensuring that any content is safely escaped before inclusion in HTML or form action fields.
  • Limit access to media.php to users with sufficient privileges—enforce role‑based access control so that only authorized content editors can invoke the page.

Generated by OpenCVE AI on July 2, 2026 at 15:50 UTC.

Tracking

Sign in to view the affected projects.

Advisories

No advisories yet.

History

Wed, 01 Jul 2026 19:30:00 +0000

Type Values Removed Values Added
Metrics ssvc

{'options': {'Automatable': 'no', 'Exploitation': 'poc', 'Technical Impact': 'partial'}, 'version': '2.0.3'}


Wed, 01 Jul 2026 16:30:00 +0000

Type Values Removed Values Added
Description Guardian language-system fails to sanitize the id GET parameter before inserting it into HTML source and form action attributes in media.php (lines 119, 129). An authenticated attacker can craft a URL that injects script tags executing in the victim's browser session.
Title Guardian Language-System XSS via id Parameter in media.php
Weaknesses CWE-79
References
Metrics cvssV3_1

{'score': 4.6, 'vector': 'CVSS:3.1/AV:N/AC:L/PR:L/UI:R/S:U/C:L/I:L/A:N'}

cvssV4_0

{'score': 4.8, 'vector': 'CVSS:4.0/AV:N/AC:L/AT:N/PR:L/UI:A/VC:N/VI:N/VA:N/SC:L/SI:L/SA:N'}


Subscriptions

No data.

cve-icon MITRE

Status: PUBLISHED

Assigner: VulnCheck

Published:

Updated: 2026-07-01T18:12:04.580Z

Reserved: 2026-03-25T18:43:09.826Z

Link: CVE-2026-34098

cve-icon Vulnrichment

Updated: 2026-07-01T18:11:55.696Z

cve-icon NVD

No data.

cve-icon Redhat

No data.

cve-icon OpenCVE Enrichment

Updated: 2026-07-02T16:00:12Z

Weaknesses
  • CWE-79

    Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting')