Description
A vulnerability has been found in GotoHTTP up to 10.2. This issue affects some unknown processing of the file /reg.12x. The manipulation of the argument sn leads to cross site scripting. The attack may be initiated remotely. The exploit has been disclosed to the public and may be used. The vendor explains: "We immediately removed unnecessary parameter echo from source code. However the URL in the issue description will never be used in browser nor exposed to user, so it will not bring secure problem in fact. So we don't upgrade server right now, it will be included in next version together with other features."
Published: 2026-06-29
Score: 5.3 Medium
EPSS: n/a
KEV: No
Impact: n/a
Action: n/a
AI Analysis

Impact

A flaw in GotoHTTP version 10.2 and earlier allows an attacker to supply a specially crafted value for the sn argument in the /reg.12x endpoint. The server improperly echoes this value back to the client, enabling stored or reflected cross‑site scripting (CWE‑79). If a malicious script is injected, it can run in the context of any user who loads the affected page, potentially stealing session cookies or defacing content. The vendor notes that the URL is not intended for browser use and claims no security impact, yet the CVSS rating of 5.3 reflects the potential for client‑side compromise.

Affected Systems

The vulnerability is present in the open‑source GotoHTTP application, specifically for releases up to and including 10.2. No other version range is documented; any installation running a 10.2 build or earlier should be considered vulnerable.

Risk and Exploitability

The CVSS score of 5.3 classifies the issue as moderate in severity. No EPSS data is available, and the vulnerability is not listed in the CISA KEV catalog, indicating no known large‑scale exploitation. However, because the flaw can be triggered remotely via a crafted sn parameter, an attacker could potentially embed arbitrary client‑side code. Exploitation requires only HTTP access to the /reg.12x endpoint, so the attack surface is wide. The impact depends on whether users load the affected page; if they do, client‑side compromise is possible.

Generated by OpenCVE AI on June 29, 2026 at 06:21 UTC.

Remediation

No vendor fix or workaround currently provided.

OpenCVE Recommended Actions

  • Upgrade GotoHTTP to a release newer than 10.2 when available
  • If an upgrade is not possible, restrict access to the /reg.12x endpoint to trusted users or disable it entirely
  • Deploy a web application firewall to filter out XSS payloads targeting the sn parameter
  • Monitor web logs for unusual sn values or repeated XSS attempts

Generated by OpenCVE AI on June 29, 2026 at 06:21 UTC.

Tracking

Sign in to view the affected projects.

Advisories

No advisories yet.

History

Mon, 29 Jun 2026 05:30:00 +0000

Type Values Removed Values Added
Description A vulnerability has been found in GotoHTTP up to 10.2. This issue affects some unknown processing of the file /reg.12x. The manipulation of the argument sn leads to cross site scripting. The attack may be initiated remotely. The exploit has been disclosed to the public and may be used. The vendor explains: "We immediately removed unnecessary parameter echo from source code. However the URL in the issue description will never be used in browser nor exposed to user, so it will not bring secure problem in fact. So we don't upgrade server right now, it will be included in next version together with other features."
Title GotoHTTP reg.12x cross site scripting
First Time appeared Gotohttp
Gotohttp gotohttp
Weaknesses CWE-79
CWE-94
CPEs cpe:2.3:a:gotohttp:gotohttp:*:*:*:*:*:*:*:*
Vendors & Products Gotohttp
Gotohttp gotohttp
References
Metrics cvssV2_0

{'score': 5, 'vector': 'AV:N/AC:L/Au:N/C:N/I:P/A:N/E:POC/RL:ND/RC:C'}

cvssV3_0

{'score': 4.3, 'vector': 'CVSS:3.0/AV:N/AC:L/PR:N/UI:R/S:U/C:N/I:L/A:N/E:P/RL:X/RC:C'}

cvssV3_1

{'score': 4.3, 'vector': 'CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:U/C:N/I:L/A:N/E:P/RL:X/RC:C'}

cvssV4_0

{'score': 5.3, 'vector': 'CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:P/VC:N/VI:L/VA:N/SC:N/SI:N/SA:N/E:P'}

Subscriptions

Gotohttp Gotohttp
cve-icon MITRE

Status: PUBLISHED

Assigner: VulDB

Published:

Updated: 2026-06-29T04:45:06.962Z

Reserved: 2026-06-28T09:31:19.810Z

Link: CVE-2026-13536

cve-icon Vulnrichment

No data.

cve-icon NVD

No data.

cve-icon Redhat

No data.

cve-icon OpenCVE Enrichment

Updated: 2026-06-29T06:30:04Z

Weaknesses
  • CWE-79

    Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting')

  • CWE-94

    Improper Control of Generation of Code ('Code Injection')