CVE-2026-13536
Received Received - Intake

Stored XSS in GotoHTTP up to 10.2

Publication date: 2026-06-29

Last updated on: 2026-06-29

Assigner: VulDB

Description
A vulnerability has been found in GotoHTTP up to 10.2. This issue affects some unknown processing of the file /reg.12x. The manipulation of the argument sn leads to cross site scripting. The attack may be initiated remotely. The exploit has been disclosed to the public and may be used. The vendor explains: "We immediately removed unnecessary parameter echo from source code. However the URL in the issue description will never be used in browser nor exposed to user, so it will not bring secure problem in fact. So we don't upgrade server right now, it will be included in next version together with other features."

CVSS Scores

EPSS Scores

Probability:
Percentile:

Meta Information

Published
2026-06-29
Last Modified
2026-06-29
Generated
2026-06-29
AI Q&A
2026-06-29
EPSS Evaluated
N/A
NVD
CVE-2026-13536
EUVD
EUVD-2026-40033

Affected Vendors & Products

Showing 1 associated CPE
Vendor Product Version / Range
gotohttp gotohttp to 10.2 (inc)

Helpful Resources

Exploitability

CWE
CWE Icon
KEV
KEV Icon
CWE ID Description
CWE-79 The product does not neutralize or incorrectly neutralizes user-controllable input before it is placed in output that is used as a web page that is served to other users.
CWE-94 The product constructs all or part of a code segment using externally-influenced input from an upstream component, but it does not neutralize or incorrectly neutralizes special elements that could modify the syntax or behavior of the intended code segment.

Attack-Flow Graph

AI Quick Actions

Instant insights powered by AI
Executive Summary

This vulnerability is a reflected Cross-Site Scripting (XSS) issue found in the /reg.12x endpoint of the GotoHTTP platform. It occurs because the sn parameter in HTTP GET requests is not properly sanitized and is directly echoed back to the client without HTML encoding.

An attacker can craft a malicious URL containing JavaScript code in the sn parameter. When a victim clicks this URL, the injected script executes in their browser, potentially allowing the attacker to hijack sessions, steal credentials, perform actions on behalf of the victim, or disclose information.

Impact Analysis

Exploitation of this vulnerability can lead to several security impacts including session hijacking, credential theft, unauthorized actions performed in the victim's context, and information disclosure.

  • Session hijacking
  • Credential theft
  • Arbitrary actions performed on behalf of the victim
  • Information disclosure
Compliance Impact

The vulnerability is a reflected Cross-Site Scripting (XSS) issue that can lead to session hijacking, credential theft, arbitrary actions on behalf of the victim, or information disclosure. Such impacts can potentially result in unauthorized access to personal or sensitive data.

Because of these risks, this vulnerability could affect compliance with standards and regulations like GDPR and HIPAA, which require protection of personal data and secure handling of user information to prevent unauthorized access or disclosure.

However, the vendor states that the vulnerable URL is never used in browsers nor exposed to users, which they argue mitigates the practical security risk. Despite this, the existence of an exploitable XSS vulnerability may still pose compliance concerns depending on the environment and data handled.

Detection Guidance

This vulnerability can be detected by sending crafted HTTP GET requests to the /reg.12x endpoint of the GotoHTTP platform with a malicious sn parameter containing JavaScript code. If the response reflects the sn parameter without proper HTML encoding, it indicates the presence of the reflected Cross-Site Scripting (XSS) vulnerability.

  • Use curl or similar tools to send a request like: curl -i "http://<target>/reg.12x?sn=<script>alert('xss')</script>"
  • Check the HTTP response for the presence of the injected script in the error message or response body.
  • Monitor network traffic for suspicious URLs containing the sn parameter with script tags or JavaScript code.
Mitigation Strategies

Immediate mitigation involves preventing the exploitation of the reflected XSS vulnerability by avoiding the use of the vulnerable /reg.12x endpoint or sanitizing the sn parameter input.

  • Remove or disable the /reg.12x endpoint if it is not necessary.
  • Implement input validation and proper HTML encoding on the sn parameter to prevent script injection.
  • Educate users to avoid clicking suspicious links containing the sn parameter.
  • Apply any vendor patches or updates when they become available, as the vendor plans to include fixes in the next version.

Chat Assistant

Ask questions about this CVE
Hi! I’m here to help you understand CVE-2026-13536. Ask me anything about the vulnerability, its impact, or mitigation strategies.
0/70

EPSS Chart