Cross Site Scripting Vulnerability in GotoHTTP by GoTo Technology
CVE-2026-13536

5.3MEDIUM

Key Information:

Vendor

GoTo Technology

Status
Gotohttp
Vendor
CVE Published:
29 June 2026

Badges

👾 Exploit Exists🟡 Public PoC

What is CVE-2026-13536?

A Cross Site Scripting (XSS) vulnerability has been identified in GotoHTTP versions up to 10.2, which affects the processing of the /reg.12x file. Manipulation of the 'sn' argument can allow remote attackers to execute scripts in the context of the user’s session. The vendor has stated that they removed the problematic parameter from the source code, but they note that this vulnerability does not pose a significant risk as the described URL is not intended for user access. They plan to include further security measures in a future update.

Affected Version(s)

GotoHTTP 10.0

GotoHTTP 10.1

GotoHTTP 10.2

Exploit Proof of Concept (PoC)

PoC code is written by security researchers to demonstrate the vulnerability can be exploited. PoC code is also a key component for weaponization which could lead to ransomware.

CVE-2026-13536 - Proof of Concept

References

https://vuldb.com/vuln/374544
vdb-entrytechnical-description
https://vuldb.com/vuln/374544/cti
signaturepermissions-required
https://vuldb.com/cve/CVE-2026-13536
third-party-advisory

CVSS V4

Score:
5.3
Severity:
MEDIUM
Confidentiality:
None
Integrity:
Low
Availability:
None
Attack Vector:
Network
Attack Complexity:
Low
Attack Required:
None
Privileges Required:
Undefined
User Interaction:
Unknown

Timeline

  • 🟡

    Public PoC available

  • 👾

    Exploit known to exist

  • Vulnerability published

  • Vulnerability Reserved

Credit

songmaoyang (VulDB User)
VulDB CNA Team
.