CVE-2026-13371

Summary

An authenticated administrator can trigger a denial-of-service condition in the Fireware Management Web UI by sending malformed or crafted data to the put_data endpoint, which performs unsafe deserialization of the attacker-supplied input.

Affected Software

VendorProductVersion RangeStatus
WatchGuardFireware OS12.0 <= 12.12affected
WatchGuardFireware OS12.5 <= 12.5.18affected
WatchGuardFireware OS2025.1 <= 2026.2affected

Weaknesses

  • CWE-502: CWE-502 Deserialization of Untrusted Data

References