CVE-2026-13373 Overview
CVE-2026-13373 is a stored cross-site scripting (XSS) vulnerability in the Tigerpaw Technology Integration module of WatchGuard Fireware OS. The flaw stems from improper neutralization of user-controlled input during web page generation [CWE-79]. It represents an additional unmitigated attack path for CVE-2025-13936. An authenticated high-privileged attacker can inject persistent script content that executes in the browser of another management user. The vulnerability affects Fireware OS 12.4 through 12.12, 12.5 through 12.5.18, and 2025.1 through 2026.2 across the full Firebox appliance line.
Critical Impact
Stored XSS in the Firebox management interface allows an authenticated attacker to execute arbitrary script content in another administrator's browser session, enabling manipulation of firewall configuration workflows.
Affected Products
- WatchGuard Fireware OS 12.4 through 12.12, 12.5 through 12.5.18, and 2025.1 through 2026.2
- WatchGuard Firebox M-series and T-series hardware appliances (M270 through M695, T15 through T185)
- WatchGuard FireboxV and FireboxCloud virtual appliances
Discovery Timeline
- 2026-07-03 - CVE-2026-13373 published to NVD
- 2026-07-09 - Last updated in NVD database
Technical Details for CVE-2026-13373
Vulnerability Analysis
The vulnerability resides in the Tigerpaw Technology Integration module of Fireware OS. This module allows Firebox appliances to interact with the Tigerpaw business management platform used by managed service providers. The module accepts configuration input from an authenticated administrator and stores it for later rendering in the web management interface.
Because the stored input is not properly sanitized or output-encoded, an attacker with high privileges can embed script payloads that persist in the appliance configuration. When another administrator subsequently views the affected management page, the browser executes the injected script in the context of the Fireware management origin.
WatchGuard identifies this issue as an additional unmitigated attack path for CVE-2025-13936, indicating the earlier patch did not cover every input reaching the vulnerable rendering path.
Root Cause
The root cause is missing or incomplete output encoding of user-supplied fields in the Tigerpaw integration configuration. Input containing HTML control characters or <script> constructs is written to storage and later inserted into a rendered page without contextual escaping.
Attack Vector
Exploitation requires network access to the Firebox management interface and authenticated administrator credentials. The attacker submits a malicious payload through the Tigerpaw integration configuration form. User interaction from a second administrator is required to trigger execution when that user navigates to the affected view. The malicious script then runs with the privileges of the viewing administrator session.
No public proof-of-concept exploit is available and the CVE is not listed in the CISA Known Exploited Vulnerabilities catalog.
Detection Methods for CVE-2026-13373
Indicators of Compromise
- Unexpected HTML tags, <script> fragments, or JavaScript event handlers stored in Tigerpaw integration configuration fields.
- Administrator sessions issuing management API calls that were not initiated by the user, particularly configuration changes originating from an existing session token.
- Outbound HTTP requests from administrator workstations to unfamiliar domains immediately after loading the Fireware management console.
Detection Strategies
- Review Fireware configuration exports for the Tigerpaw integration section and flag any values containing angle brackets, javascript: URIs, or encoded script markers.
- Monitor management-plane audit logs for changes to the Tigerpaw integration configuration by administrator accounts.
- Inspect browser Content Security Policy violation reports generated when administrators access the Firebox web UI, if CSP reporting is enabled at the workstation level.
Monitoring Recommendations
- Alert on administrator account modifications to Tigerpaw settings outside change windows.
- Correlate Firebox management logins with subsequent unexpected configuration changes across the appliance.
- Track network egress from administrator workstations during and immediately after Firebox management sessions.
How to Mitigate CVE-2026-13373
Immediate Actions Required
- Upgrade Fireware OS to a fixed release as identified in the WatchGuard security advisory WGSA-2026-00015.
- Restrict access to the Firebox management interface to a dedicated management network and known administrator IP ranges.
- Audit existing Tigerpaw integration configuration fields for stored payloads and remove any that contain HTML or script content.
- Rotate administrator credentials if unexpected configuration changes are found.
Patch Information
WatchGuard has published guidance and fixed versions in the WatchGuard Security Advisory WGSA-2026-00015. Administrators should apply the vendor-supplied Fireware OS update that corresponds to their currently deployed branch (12.5.x, 12.x, or 2025.1–2026.2).
Workarounds
- Disable the Tigerpaw Technology Integration module on appliances where the feature is not required.
- Limit administrator role assignment so that only trusted personnel hold the high-privilege role required to configure integrations.
- Require administrators to use isolated browser profiles or dedicated management workstations when accessing the Firebox web UI, reducing the impact of script execution in an administrator session.
Disclaimer: This content was generated using AI. While we strive for accuracy, please verify critical information with official sources.

