Executive Summary
CVE-2026-13536 is a reflected Cross-Site Scripting (XSS) vulnerability affecting the GotoHTTP remote access platform, specifically in the /reg.12x endpoint. The vulnerability arises from improper sanitization of the sn parameter, allowing unauthenticated attackers to inject arbitrary JavaScript into a victim's browser if the victim visits a crafted URL. A public proof-of-concept (PoC) exploit is available, and the vendor has acknowledged the issue, removing the vulnerable parameter from the source code for the next release. As of this report, there are no confirmed reports of active exploitation or attribution to any Advanced Persistent Threat (APT) groups. This vulnerability is not listed in the CISA Known Exploited Vulnerabilities (KEV) catalog.
Technical Information
CVE-2026-13536 targets the GotoHTTP remote control software, up to and including version 10.2. The vulnerability is present in the /reg.12x endpoint, where the sn parameter is reflected in server responses without proper HTML encoding or input validation. This enables reflected XSS attacks, where an attacker can craft a malicious URL containing JavaScript code in the sn parameter. When a victim visits this URL, the injected script executes in the context of the victim's browser session.
The vulnerability is classified under CWE-79: Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting'). The attack vector is remote and unauthenticated, but requires user interaction—specifically, the victim must visit a crafted URL. The CVSS v3.1 base score is 4.3 (Medium), with a vector of AV:N/AC:L/PR:N/UI:R/S:U/C:N/I:L/A:N, indicating network attack vector, low attack complexity, no privileges required, required user interaction, and limited impact on integrity. The CVSS v4.0 score is 2.1 (Low), reflecting the requirement for user interaction and the limited scope of the vulnerability.
A typical attack scenario involves an adversary sending a phishing email or message containing a crafted link to the vulnerable endpoint. If the recipient clicks the link, the malicious JavaScript executes in their browser, potentially leading to session hijacking, credential theft, or further client-side attacks. The vendor has stated that the vulnerable URL is not typically exposed to users in normal operation, but the existence of a public PoC and the low complexity of exploitation increase the risk of opportunistic attacks.
Exploitation in the Wild
As of the time of writing, there are no confirmed reports of active exploitation of CVE-2026-13536 in the wild. However, a public PoC exploit is available on GitHub, which demonstrates the ease with which the vulnerability can be triggered. The PoC shows that by visiting a URL such as https://tohttp.com/reg.12x?c=1&sn=%3Cscript%3Ealert('xss')%3C/script%3E, the JavaScript code alert('xss') is executed in the victim's browser. The presence of a public PoC increases the likelihood of opportunistic exploitation, especially via phishing or social engineering campaigns.
The vulnerability is not listed in the CISA Known Exploited Vulnerabilities (KEV) catalog, and there is no evidence from authoritative sources of widespread exploitation or integration into automated attack tools.
APT Groups using this vulnerability
No public or OSINT sources attribute exploitation of CVE-2026-13536 to any known APT groups. There are no reports of targeted campaigns against specific sectors or countries leveraging this vulnerability. The current risk is primarily from opportunistic attackers or penetration testers using the public PoC.
Affected Product Versions
The following versions of GotoHTTP are affected by CVE-2026-13536: GotoHTTP 10.0, GotoHTTP 10.1, and GotoHTTP 10.2. The vulnerability is present in all versions up to and including 10.2. The vendor has stated that the fix will be included in the next version, and the vulnerable parameter has been removed from the source code.
Workaround and Mitigation
Until an official update is released, organizations using GotoHTTP should take the following actions. Monitor web server logs for suspicious access to the /reg.12x endpoint, especially requests containing encoded or suspicious sn parameters. Restrict access to the vulnerable endpoint if possible, for example by using web application firewalls or network segmentation. Educate users about the risks of clicking on unsolicited or suspicious links, as exploitation requires user interaction. Apply vendor updates as soon as the next version is released, which will include the fix for this vulnerability.
Indicators of Compromise
The following caveat applies: Indicators of compromise are point-in-time and should be validated before enforcement in your environment. No public indicators of compromise were available at the time of writing.
References
NVD: CVE-2026-13536, VulDB: CVE-2026-13536, VulDB Technical Details, PoC and Discussion (GitHub)
Rescana is here for you
Rescana provides a comprehensive Third-Party Risk Management (TPRM) platform, empowering organizations to continuously monitor, assess, and mitigate cyber risks across their supply chain and vendor ecosystem. Our platform leverages advanced automation and threat intelligence to deliver actionable insights and help you stay ahead of emerging threats. We are happy to answer questions at info@rescana.com.
