CVE-2026-13374
MediumCVSS 4.8Summary
Stored XSS vulnerability in the ConnectWise Technology Integration module of WatchGuard Fireware OS. This is an additional unmitigated attack vector for CVE-2025-13937.
Risk Assessment
An attacker can inject a malicious script that executes in administrators' browsers, leading to session theft, account takeover, or further privilege escalation.
Recommendation
Immediately upgrade Fireware OS to a version later than 12.12, 12.5.18, or 2026.2, depending on the release line used.
Original NVD description (English source)
Improper Neutralization of Input During Web Page Generation (XSS or 'Cross-site Scripting') vulnerability in WatchGuard Fireware OS (ConnectWise Technology Integration module) allows Stored XSS. This vulnerability is an additional unmitigated attack path for CVE-2025-13937. This issue affects Fireware OS 12.4 up to and including 12.12, 12.5 up to and including 12.5.18, and 2025.1 up to and including 2026.2.

