CVE Catalog

CVE-2026-13376

MediumCVSS 4.8
Published: Translated: NVD NIST

Summary

A Stored Cross-Site Scripting (XSS) vulnerability was found in the spamBlocker module of WatchGuard Fireware OS due to improper input neutralization during web page generation. This is an additional unmitigated attack vector for CVE-2025-1071.

Risk Assessment

An attacker can inject a malicious script that executes in the browsers of administrators or users, potentially leading to session theft, account takeover, or theft of sensitive data.

Recommendation

Immediately update WatchGuard Fireware OS to a version later than 12.12, 12.5.18, or 2026.2, depending on the release branch, once the vendor provides the appropriate patch.

Original NVD description (English source)

Improper Neutralization of Input During Web Page Generation (XSS or 'Cross-site Scripting') vulnerability in WatchGuard Fireware OS spamBlocker module allows Stored XSS. This vulnerability is an additional unmitigated attack path for CVE-2025-1071. This issue affects Fireware OS 12.0 up to and including 12.12, 12.5 up to and including 12.5.18, and 2025.1 up to and including 2026.2.

Vulnerability data from NVD (NIST) · CISA KEV · EPSS