Stored XSS Vulnerability in WatchGuard Fireware OS SpamBlocker Module
CVE-2026-13376

4.8MEDIUM

Key Information:

Vendor

Watchguard

Vendor
CVE Published:
2 July 2026

What is CVE-2026-13376?

A vulnerability in the WatchGuard Fireware OS spamBlocker module allows for Stored XSS attacks owing to improper normalization of input during web page generation. This flaw provides an additional attack vector that may be exploited in conjunction with a previously identified vulnerability, enhancing the risk of unauthorized information exposure and manipulation. The affected versions range from Fireware OS 12.0 through 12.12, and 12.5 up to and including 12.5.18, as well as 2025.1 to 2026.2.

Affected Version(s)

Fireware OS 12.0 <= 12.12

Fireware OS 12.5 <= 12.5.18

Fireware OS 2025.1 <= 2026.2

References

CVSS V4

Score:
4.8
Severity:
MEDIUM
Confidentiality:
None
Integrity:
None
Availability:
None
Attack Vector:
Network
Attack Complexity:
Low
Attack Required:
None
Privileges Required:
Undefined
User Interaction:
Unknown

Timeline

  • Vulnerability published

  • Vulnerability Reserved

Credit

Simone Paganessi (https://www.linkedin.com/in/simonepaganessi)
.