CVE-2026-34096
MediumCVSS 4.6Exploitation Probability (EPSS)
Low risk4th percentile — higher than 4% of all known CVEs
Summary
The XSS vulnerability in the Guardian language-system fails to sanitize the 'name' GET parameter before outputting it into an HTML input value attribute in designer.php (line 57). An authenticated attacker can craft a URL containing script tags that execute in the victim's browser session.
Risk Assessment
The risk involves the execution of arbitrary JavaScript in the victim's browser, potentially leading to session theft, content modification, or further attacks on system users.
Recommendation
Implement proper sanitization of the 'name' parameter before outputting it in HTML, such as HTML entity encoding or using functions like htmlspecialchars(). Also, update to the latest version of the Guardian system.
Original NVD description (English source)
Guardian language-system fails to sanitize the name GET parameter before outputting it into an HTML input value attribute in designer.php (line 57). An authenticated attacker can craft a URL containing script tags that execute in the victim's browser session.

