Goal Reached Thanks to every supporter — we hit 100%!

Goal: 1000 CNY · Raised: 1336 CNY

100%

CVE-2026-34097— Guardian Language-System XSS via id Parameter in text_file.php

CVSS 4.6 · Medium EPSS 0.15% · P4

Affected Version Matrix 1

VendorProductVersion RangeStatus
guardianlanguage-system≤ e42c395ec4b03fe62973a669c9209a673838b8a4affected
Get alerts for future matching vulnerabilitiesLog in to subscribe

I. Basic Information for CVE-2026-34097

Vulnerability Information

Have questions about the vulnerability? See if Shenlong's analysis helps!
View Shenlong Deep Dive ↗

Although we use advanced large model technology, its output may still contain inaccurate or outdated information.Shenlong tries to ensure data accuracy, but please verify and judge based on the actual situation.

Vulnerability Title
Guardian Language-System XSS via id Parameter in text_file.php
Source: NVD (National Vulnerability Database)
Vulnerability Description
Guardian language-system fails to sanitize the id GET parameter before inserting it into multiple HTML form action attributes in text_file.php (lines 94, 101, 323, 403, 826, 852). An authenticated attacker can craft a URL that injects script tags executing in the victim's browser session.
Source: NVD (National Vulnerability Database)
CVSS Information
CVSS:3.1/AV:N/AC:L/PR:L/UI:R/S:U/C:L/I:L/A:N
Source: NVD (National Vulnerability Database)
Vulnerability Type
在Web页面生成时对输入的转义处理不恰当(跨站脚本)
Source: NVD (National Vulnerability Database)

Affected Products

VendorProductAffected VersionsCPESubscribe
guardianlanguage-system 0 ~ e42c395ec4b03fe62973a669c9209a673838b8a4 -

II. Public POCs for CVE-2026-34097

#POC DescriptionSource LinkShenlong Link
AI-Generated POCPremium

No public POC found.

Login to generate AI POC

III. Intelligence Information for CVE-2026-34097

登录查看更多情报信息。

Vendor Advisories for CVE-2026-34097 (1)

Proof of Concept for CVE-2026-34097 (1)

Same Patch Batch · guardian · 2026-07-01 · 22 CVEs total

CVE-2026-341089.8 CRITICALGuardian Language-System Unauthenticated OS Command Injection via id Parameter in text.php
CVE-2026-341099.8 CRITICALGuardian Language-System Unauthenticated OS Command Injection via id Parameter in speech.p
CVE-2026-341139.8 CRITICALGuardian Language-System Unauthenticated OS Command Injection via id Parameter in speech_t
CVE-2026-341049.8 CRITICALGuardian Language-System Unauthenticated SQL Injection via name Parameter in designer.php
CVE-2026-341079.8 CRITICALGuardian Language-System Unauthenticated OS Command Injection via id Parameter in translat
CVE-2026-341109.8 CRITICALGuardian Language-System Unauthenticated OS Command Injection via id Parameter in complex_
CVE-2026-341149.8 CRITICALGuardian Language-System Unauthenticated OS Command Injection via id Parameter in translat
CVE-2026-341159.8 CRITICALGuardian Language-System Unauthenticated OS Command Injection via id Parameter in transcri
CVE-2026-341119.8 CRITICALGuardian Language-System Unauthenticated OS Command Injection via id Parameter in speechma
CVE-2026-341029.8 CRITICALGuardian Language-System Unauthenticated SQL Injection via id Parameter in job_info_get.ph
CVE-2026-341059.8 CRITICALGuardian Language-System Unauthenticated SQL Injection via id Parameter in translate_text.
CVE-2026-341169.8 CRITICALGuardian Language-System Unauthenticated OS Command Injection via id Parameter in transcri
CVE-2026-341039.8 CRITICALGuardian Language-System Unauthenticated SQL Injection via id Parameter in subtitles.php
CVE-2026-341019.8 CRITICALGuardian Language-System Unauthenticated SQL Injection via id Parameter in text_file.php
CVE-2026-341129.8 CRITICALGuardian Language-System Unauthenticated OS Command Injection via id Parameter in speechma
CVE-2026-341069.8 CRITICALGuardian Language-System Unauthenticated OS Command Injection via id Parameter in subtitle
CVE-2026-341009.8 CRITICALGuardian Language-System Unauthenticated SQL Injection via id Parameter in media.php
CVE-2026-341179.8 CRITICALGuardian Language-System Unauthenticated OS Command Injection via id Parameter in text_to_
CVE-2026-340999.8 CRITICALGuardian Language-System Unauthenticated SQL Injection via id Parameter in job_info.php
CVE-2026-340964.6 MEDIUMGuardian Language-System XSS via name Parameter in designer.php

Showing top 20 of 22 CVEs. View all on vendor page → →

IV. Related Vulnerabilities

V. Comments for CVE-2026-34097

No comments yet


Leave a comment