Description
Improper Neutralization of Input During Web Page Generation (XSS or 'Cross-site Scripting') vulnerability in WatchGuard Fireware OS spamBlocker module allows Stored XSS. This vulnerability is an additional unmitigated attack path for CVE-2025-1071.

This issue affects Fireware OS 12.0 up to and including 12.12, 12.5 up to and including 12.5.18, and 2025.1 up to and including 2026.2.
Published: 2026-07-02
Score: 4.8 Medium
EPSS: n/a
KEV: No
Impact: n/a
Action: n/a
AI Analysis

Impact

This vulnerability, identified as an improper neutralization of input during web page generation (CWE‑79), allows stored cross‑site scripting injection into the spamBlocker module of WatchGuard Fireware OS. An attacker who can inject malicious JavaScript into spamBlocker settings can cause that code to run whenever an affected user views the compromised configuration page, potentially leading to session hijacking, credential theft, or further network compromise. The flaw is a stored XSS, providing a persistent attack vector that can affect anyone who accesses the affected web UI and is an additional unmitigated path for CVE‑2025‑1071.

Affected Systems

Observed affected releases include WatchGuard Fireware OS 12.0 through 12.12, 12.5 through 12.5.18, and 2025.1 through 2026.2. Systems running any of these versions should review their configuration for risk.

Risk and Exploitability

The CVSS score of 4.8 indicates a moderate severity. The EPSS score is not available, and the vulnerability is not listed in the CISA KEV catalog, suggesting that there are currently no known widespread exploits in the wild. Attackers would need to supply a crafted configuration via the spamBlocker module, which likely requires privileged administrative access to the Fireware OS web interface. The stored nature of the fault means the impact persists until the configuration is cleaned or the system is patched. The likely attack vector is a privileged authenticated user who can modify spamBlocker settings; this inference is based on the fact that the vulnerability exists in the web UI configuration module.

Generated by OpenCVE AI on July 3, 2026 at 02:59 UTC.

Remediation

No vendor fix or workaround currently provided.

OpenCVE Recommended Actions

  • Apply the latest Fireware OS update that eliminates the stored XSS flaw.
  • Disable the spamBlocker module or restrict its configuration interface to trusted administrators until the patch is in place.
  • Ensure that any user‑supplied data into the spamBlocker UI is validated and escaped following CWE‑79 best practices, and enforce a content security policy to block execution of malicious scripts.

Generated by OpenCVE AI on July 3, 2026 at 02:59 UTC.

Tracking

Sign in to view the affected projects.

Advisories

No advisories yet.

History

Thu, 02 Jul 2026 23:30:00 +0000

Type Values Removed Values Added
Description Improper Neutralization of Input During Web Page Generation (XSS or 'Cross-site Scripting') vulnerability in WatchGuard Fireware OS spamBlocker module allows Stored XSS. This vulnerability is an additional unmitigated attack path for CVE-2025-1071. This issue affects Fireware OS 12.0 up to and including 12.12, 12.5 up to and including 12.5.18, and 2025.1 up to and including 2026.2.
Title WatchGuard Firebox Stored Cross-Site-Scripting (XSS) Vulnerability in spamBlocker Module
First Time appeared Watchguard
Watchguard fireware Os
Weaknesses CWE-79
CPEs cpe:2.3:a:watchguard:fireware_os:*:*:*:*:*:*:*:12.0
cpe:2.3:a:watchguard:fireware_os:*:*:*:*:*:*:*:12.5
cpe:2.3:a:watchguard:fireware_os:*:*:*:*:*:*:*:2025.1
Vendors & Products Watchguard
Watchguard fireware Os
References
Metrics cvssV4_0

{'score': 4.8, 'vector': 'CVSS:4.0/AV:N/AC:L/AT:N/PR:H/UI:P/VC:N/VI:N/VA:N/SC:L/SI:L/SA:N'}


Subscriptions

Watchguard Fireware Os
cve-icon MITRE

Status: PUBLISHED

Assigner: WatchGuard

Published:

Updated: 2026-07-02T23:05:26.669Z

Reserved: 2026-06-25T20:34:53.978Z

Link: CVE-2026-13376

cve-icon Vulnrichment

No data.

cve-icon NVD

No data.

cve-icon Redhat

No data.

cve-icon OpenCVE Enrichment

Updated: 2026-07-03T03:00:06Z

Weaknesses
  • CWE-79

    Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting')