Skip to main content

GotoHTTP EUVDEUVD-2026-40033

| CVE-2026-13536 LOW
Cross-site Scripting (XSS) (CWE-79)
2026-06-29 VulDB GHSA-63j7-9hp3-gp4j
2.1
CVSS 4.0 · Vendor: VulDB

Severity by source

Vendor (VulDB) PRIMARY
2.1 MEDIUM
CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:P/VC:N/VI:L/VA:N/SC:N/SI:N/SA:N/E:P/CR:X/IR:X/AR:X/MAV:X/MAC:X/MAT:X/MPR:X/MUI:X/MVC:X/MVI:X/MVA:X/MSC:X/MSI:X/MSA:X/S:X/AU:X/R:X/V:X/RE:X/U:X
vuln.today AI
6.1 MEDIUM

Network-delivered reflected XSS with no required privileges; scope changes to browser context giving limited confidentiality and integrity impact; user interaction mandatory to trigger.

3.1 AV:N/AC:L/PR:N/UI:R/S:C/C:L/I:L/A:N
4.0 AV:N/AC:L/AT:N/PR:N/UI:P/VC:N/VI:L/VA:N/SC:N/SI:N/SA:N

Primary rating from Vendor (VulDB).

CVSS VectorVendor: VulDB

CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:P/VC:N/VI:L/VA:N/SC:N/SI:N/SA:N/E:P/CR:X/IR:X/AR:X/MAV:X/MAC:X/MAT:X/MPR:X/MUI:X/MVC:X/MVI:X/MVA:X/MSC:X/MSI:X/MSA:X/S:X/AU:X/R:X/V:X/RE:X/U:X
Attack Vector
Network
Attack Complexity
Low
Privileges Required
None
User Interaction
P
Scope
X

Lifecycle Timeline

3
Severity Changed
Jun 29, 2026 - 06:22 NVD
MEDIUM LOW
CVSS changed
Jun 29, 2026 - 06:22 NVD
5.3 (MEDIUM) 2.1 (LOW)
Analysis Generated
Jun 29, 2026 - 05:47 vuln.today

DescriptionCVE.org

A vulnerability has been found in GotoHTTP up to 10.2. This issue affects some unknown processing of the file /reg.12x. The manipulation of the argument sn leads to cross site scripting. The attack may be initiated remotely. The exploit has been disclosed to the public and may be used. The vendor explains: "We immediately removed unnecessary parameter echo from source code. However the URL in the issue description will never be used in browser nor exposed to user, so it will not bring secure problem in fact. So we don't upgrade server right now, it will be included in next version together with other features."

AnalysisAI

Reflected cross-site scripting in GotoHTTP up to version 10.2 allows remote attackers to inject arbitrary JavaScript via the sn parameter in the /reg.12x endpoint. A publicly available proof-of-concept exploit exists (GitHub issue linked in references). …

Unlock full vulnerability intelligence

  • Risk assessment & exploitation conditions
  • Attack chain visualization
  • Remediation with exact patch versions
  • Threat intelligence from 22 sources
  • Personal watchlist & email alerts

Free forever · No credit card required

Attack ChainAIDerived

Hypothetical attack flow derived from CVE metadata

Access
Identify internet-exposed GotoHTTP instance
Delivery
Craft malicious URL with XSS payload in `sn` parameter
Exploit
Deliver link to GotoHTTP user via phishing
Execution
Victim opens URL in browser
Persist
Injected script executes in GotoHTTP origin
Impact
Attacker captures session tokens or performs browser-context actions

Vulnerability AssessmentAI

Exploitation Exploitation requires that a victim user loads the attacker-crafted URL containing the malicious `sn` parameter in a web browser that has access to the GotoHTTP instance (UI:P per CVSS 4.0). … Additional conditions and limiting factors are described in the full assessment.
Risk Assessment The CVSS 4.0 base score of 5.3 (Medium) appropriately reflects the limited impact profile - only VI:L is affected, with no confidentiality or availability impact on the vulnerable or subsequent systems. … Full risk analysis with EPSS, KEV, and SSVC signal comparison available after sign-in.
Exploit Scenario An attacker crafts a URL targeting the GotoHTTP instance's `/reg.12x` endpoint with a malicious `sn` parameter containing a JavaScript payload (e.g., a cookie-stealing script), then delivers that link to a GotoHTTP user via phishing email or message. When the victim clicks the link and the browser renders the response, the injected script executes in the GotoHTTP origin's security context. …
Remediation No patched release has been published at time of analysis - vendor-released patch not independently confirmed. … Detailed patch versions, workarounds, and compensating controls in full report.

Threat intelligence, references, and detailed analysis are available after sign-in.

Share

EUVD-2026-40033 vulnerability details – vuln.today

This site uses cookies essential for authentication and security. No tracking or analytics cookies are used. Privacy Policy