Skip to main content

Gotohttp

1 CVEs product

Monthly

CVE-2026-13536 LOW POC Monitor

Reflected cross-site scripting in GotoHTTP up to version 10.2 allows remote attackers to inject arbitrary JavaScript via the `sn` parameter in the `/reg.12x` endpoint. A publicly available proof-of-concept exploit exists (GitHub issue linked in references). The vendor has acknowledged the flaw and removed the parameter echo from source code, but explicitly declined to release a patched build immediately, stating the affected URL is not normally surfaced in a browser or exposed to end users - a claim that partially limits real-world risk but does not eliminate it. No active exploitation confirmed (not in CISA KEV); however, the public POC lowers the bar for abuse.

XSS Gotohttp
NVD VulDB GitHub
CVSS 4.0
2.1
EPSS
0.3%
EPSS 0% CVSS 2.1
LOW POC Monitor

Reflected cross-site scripting in GotoHTTP up to version 10.2 allows remote attackers to inject arbitrary JavaScript via the `sn` parameter in the `/reg.12x` endpoint. A publicly available proof-of-concept exploit exists (GitHub issue linked in references). The vendor has acknowledged the flaw and removed the parameter echo from source code, but explicitly declined to release a patched build immediately, stating the affected URL is not normally surfaced in a browser or exposed to end users - a claim that partially limits real-world risk but does not eliminate it. No active exploitation confirmed (not in CISA KEV); however, the public POC lowers the bar for abuse.

XSS Gotohttp
NVD VulDB GitHub

This site uses cookies essential for authentication and security. No tracking or analytics cookies are used. Privacy Policy