CVE-2026-13373
MediumCVSS 4.8Summary
A Stored Cross-Site Scripting (XSS) vulnerability has been found in the Tigerpaw Technology Integration module of WatchGuard Fireware OS. An attacker can inject malicious JavaScript code into web pages, which will execute in other users' browsers. This is an additional unmitigated attack vector for the previously disclosed CVE-2025-13936.
Risk Assessment
The risk includes theft of administrator sessions, account takeover, firewall configuration modification, and leakage of sensitive network data. The attack can be performed without authentication if the victim visits a crafted page.
Recommendation
Immediately upgrade Fireware OS to a version newer than 12.12, 12.5.18, or 2026.2, depending on the branch used. If a patch is not available, temporarily disable the Tigerpaw Technology Integration module.
Original NVD description (English source)
Improper Neutralization of Input During Web Page Generation (XSS or 'Cross-site Scripting') vulnerability in WatchGuard Fireware OS (Tigerpaw Technology Integration module) allows Stored XSS. This vulnerability is an additional unmitigated attack path for CVE-2025-13936. This issue affects Fireware OS 12.4 up to and including 12.12, 12.5 up to and including 12.5.18, and 2025.1 up to and including 2026.2.

