Search
Find a vulnerability
Search criteria
20 vulnerabilities found for filament by filamentphp
CVE-2026-55409 (GCVE-0-2026-55409)
Vulnerability from nvd – Published: 2026-06-22 21:47 – Updated: 2026-06-23 12:15
VLAI
Title
Filament: Disabled RichEditor field state can be used for XSS
Summary
Filament is a collection of full-stack components for accelerated Laravel development. From 3.0.0 until 3.3.53, a disabled RichEditor field rendered its raw state without sanitizing HTML. Where the data stored in this field's state isn't sanitized already when the form state was filled, an attacker could plant malicious HTML or JavaScript and achieve XSS that executes for users who view the form. This vulnerability is fixed in 3.3.53.
Severity
7.6 (High)
SSVC
Exploitation: none
Automatable: no
Technical Impact: partial
CISA Coordinator (v2.0.3)
CWE
- CWE-79 - Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting')
Assigner
References
1 reference
| URL | Tags |
|---|---|
| https://github.com/filamentphp/filament/security/… | x_refsource_CONFIRM |
Impacted products
1 product
| Vendor | Product | Version | |
|---|---|---|---|
| filamentphp | filament |
Affected:
>= 3.0.0, < 3.3.53
|
{
"containers": {
"adp": [
{
"metrics": [
{
"other": {
"content": {
"id": "CVE-2026-55409",
"options": [
{
"Exploitation": "none"
},
{
"Automatable": "no"
},
{
"Technical Impact": "partial"
}
],
"role": "CISA Coordinator",
"timestamp": "2026-06-23T12:14:53.175913Z",
"version": "2.0.3"
},
"type": "ssvc"
}
}
],
"providerMetadata": {
"dateUpdated": "2026-06-23T12:15:00.867Z",
"orgId": "134c704f-9b21-4f2e-91b3-4a467353bcc0",
"shortName": "CISA-ADP"
},
"title": "CISA ADP Vulnrichment"
}
],
"cna": {
"affected": [
{
"product": "filament",
"vendor": "filamentphp",
"versions": [
{
"status": "affected",
"version": "\u003e= 3.0.0, \u003c 3.3.53"
}
]
}
],
"descriptions": [
{
"lang": "en",
"value": "Filament is a collection of full-stack components for accelerated Laravel development. From 3.0.0 until 3.3.53, a disabled RichEditor field rendered its raw state without sanitizing HTML. Where the data stored in this field\u0027s state isn\u0027t sanitized already when the form state was filled, an attacker could plant malicious HTML or JavaScript and achieve XSS that executes for users who view the form. This vulnerability is fixed in 3.3.53."
}
],
"metrics": [
{
"cvssV3_1": {
"attackComplexity": "LOW",
"attackVector": "NETWORK",
"availabilityImpact": "NONE",
"baseScore": 7.6,
"baseSeverity": "HIGH",
"confidentialityImpact": "HIGH",
"integrityImpact": "LOW",
"privilegesRequired": "LOW",
"scope": "CHANGED",
"userInteraction": "REQUIRED",
"vectorString": "CVSS:3.1/AV:N/AC:L/PR:L/UI:R/S:C/C:H/I:L/A:N",
"version": "3.1"
}
}
],
"problemTypes": [
{
"descriptions": [
{
"cweId": "CWE-79",
"description": "CWE-79: Improper Neutralization of Input During Web Page Generation (\u0027Cross-site Scripting\u0027)",
"lang": "en",
"type": "CWE"
}
]
}
],
"providerMetadata": {
"dateUpdated": "2026-06-22T21:47:51.607Z",
"orgId": "a0819718-46f1-4df5-94e2-005712e83aaa",
"shortName": "GitHub_M"
},
"references": [
{
"name": "https://github.com/filamentphp/filament/security/advisories/GHSA-m9cv-24rx-8mv7",
"tags": [
"x_refsource_CONFIRM"
],
"url": "https://github.com/filamentphp/filament/security/advisories/GHSA-m9cv-24rx-8mv7"
}
],
"source": {
"advisory": "GHSA-m9cv-24rx-8mv7",
"discovery": "UNKNOWN"
},
"title": "Filament: Disabled RichEditor field state can be used for XSS"
}
},
"cveMetadata": {
"assignerOrgId": "a0819718-46f1-4df5-94e2-005712e83aaa",
"assignerShortName": "GitHub_M",
"cveId": "CVE-2026-55409",
"datePublished": "2026-06-22T21:47:51.607Z",
"dateReserved": "2026-06-16T21:48:43.124Z",
"dateUpdated": "2026-06-23T12:15:00.867Z",
"state": "PUBLISHED"
},
"dataType": "CVE_RECORD",
"dataVersion": "5.2"
}
CVE-2026-48505 (GCVE-0-2026-48505)
Vulnerability from nvd – Published: 2026-06-22 21:39 – Updated: 2026-06-23 14:28
VLAI
Title
Filament: Multi-factor authentication (app) recovery codes can still be used multiple times via concurrent submission
Summary
Filament is a collection of full-stack components for accelerated Laravel development. From 4.0.0 until 4.11.5 and 5.6.5, a flaw in the handling of recovery codes for app-based multi-factor authentication allows the same recovery code to be reused via concurrent submission. This issue does not affect email-based MFA. It also only applies when recovery codes are enabled. If an attacker gains access to both the user's password and their recovery codes, they get two authenticated sessions per recovery code burned instead of one, or more if they batch the parallel submissions wider, materially extending the attacker's window of access compared to what the single-use guarantee implies. This vulnerability is fixed in 4.11.5 and 5.6.5.
Severity
7.4 (High)
SSVC
Exploitation: none
Automatable: no
Technical Impact: total
CISA Coordinator (v2.0.3)
CWE
Assigner
References
1 reference
| URL | Tags |
|---|---|
| https://github.com/filamentphp/filament/security/… | x_refsource_CONFIRM |
Impacted products
1 product
| Vendor | Product | Version | |
|---|---|---|---|
| filamentphp | filament |
Affected:
>= 4.0.0, < 4.11.5
Affected: >= 5.0.0, < 5.6.5 |
{
"containers": {
"adp": [
{
"metrics": [
{
"other": {
"content": {
"id": "CVE-2026-48505",
"options": [
{
"Exploitation": "none"
},
{
"Automatable": "no"
},
{
"Technical Impact": "total"
}
],
"role": "CISA Coordinator",
"timestamp": "2026-06-23T14:28:27.382918Z",
"version": "2.0.3"
},
"type": "ssvc"
}
}
],
"providerMetadata": {
"dateUpdated": "2026-06-23T14:28:42.081Z",
"orgId": "134c704f-9b21-4f2e-91b3-4a467353bcc0",
"shortName": "CISA-ADP"
},
"title": "CISA ADP Vulnrichment"
}
],
"cna": {
"affected": [
{
"product": "filament",
"vendor": "filamentphp",
"versions": [
{
"status": "affected",
"version": "\u003e= 4.0.0, \u003c 4.11.5"
},
{
"status": "affected",
"version": "\u003e= 5.0.0, \u003c 5.6.5"
}
]
}
],
"descriptions": [
{
"lang": "en",
"value": "Filament is a collection of full-stack components for accelerated Laravel development. From 4.0.0 until 4.11.5 and 5.6.5, a flaw in the handling of recovery codes for app-based multi-factor authentication allows the same recovery code to be reused via concurrent submission. This issue does not affect email-based MFA. It also only applies when recovery codes are enabled. If an attacker gains access to both the user\u0027s password and their recovery codes, they get two authenticated sessions per recovery code burned instead of one, or more if they batch the parallel submissions wider, materially extending the attacker\u0027s window of access compared to what the single-use guarantee implies. This vulnerability is fixed in 4.11.5 and 5.6.5."
}
],
"metrics": [
{
"cvssV3_1": {
"attackComplexity": "HIGH",
"attackVector": "NETWORK",
"availabilityImpact": "NONE",
"baseScore": 7.4,
"baseSeverity": "HIGH",
"confidentialityImpact": "HIGH",
"integrityImpact": "HIGH",
"privilegesRequired": "NONE",
"scope": "UNCHANGED",
"userInteraction": "NONE",
"vectorString": "CVSS:3.1/AV:N/AC:H/PR:N/UI:N/S:U/C:H/I:H/A:N",
"version": "3.1"
}
}
],
"problemTypes": [
{
"descriptions": [
{
"cweId": "CWE-362",
"description": "CWE-362: Concurrent Execution using Shared Resource with Improper Synchronization (\u0027Race Condition\u0027)",
"lang": "en",
"type": "CWE"
}
]
},
{
"descriptions": [
{
"cweId": "CWE-841",
"description": "CWE-841: Improper Enforcement of Behavioral Workflow",
"lang": "en",
"type": "CWE"
}
]
}
],
"providerMetadata": {
"dateUpdated": "2026-06-22T21:42:19.537Z",
"orgId": "a0819718-46f1-4df5-94e2-005712e83aaa",
"shortName": "GitHub_M"
},
"references": [
{
"name": "https://github.com/filamentphp/filament/security/advisories/GHSA-mc5j-f6wx-h9qh",
"tags": [
"x_refsource_CONFIRM"
],
"url": "https://github.com/filamentphp/filament/security/advisories/GHSA-mc5j-f6wx-h9qh"
}
],
"source": {
"advisory": "GHSA-mc5j-f6wx-h9qh",
"discovery": "UNKNOWN"
},
"title": "Filament: Multi-factor authentication (app) recovery codes can still be used multiple times via concurrent submission"
}
},
"cveMetadata": {
"assignerOrgId": "a0819718-46f1-4df5-94e2-005712e83aaa",
"assignerShortName": "GitHub_M",
"cveId": "CVE-2026-48505",
"datePublished": "2026-06-22T21:39:26.304Z",
"dateReserved": "2026-05-21T16:18:10.618Z",
"dateUpdated": "2026-06-23T14:28:42.081Z",
"state": "PUBLISHED"
},
"dataType": "CVE_RECORD",
"dataVersion": "5.2"
}
CVE-2026-48500 (GCVE-0-2026-48500)
Vulnerability from nvd – Published: 2026-06-22 21:41 – Updated: 2026-06-23 13:52
VLAI
Title
Filament: Unauthenticated temporary file upload on auth pages
Summary
Filament is a collection of full-stack components for accelerated Laravel development. From 3.0.0 until 3.3.52, 4.11.5, and 5.6.5, any schema can contain a file upload form field, so Filament applies Livewire's WithFileUploads trait to the Livewire component the schema is embedded in. However, some schemas, such as the panel login form, do not require file uploads, and exposing unauthenticated temporary file uploads on these components is not an acceptable risk. On these components, an unauthenticated attacker could upload arbitrary files to the application's temporary storage, which could be abused to exhaust disk space or inflate storage costs. This vulnerability is fixed in 3.3.52, 4.11.5, and 5.6.5.
Severity
6.5 (Medium)
SSVC
Exploitation: none
Automatable: yes
Technical Impact: partial
CISA Coordinator (v2.0.3)
CWE
- CWE-862 - Missing Authorization
Assigner
References
1 reference
| URL | Tags |
|---|---|
| https://github.com/filamentphp/filament/security/… | x_refsource_CONFIRM |
Impacted products
1 product
| Vendor | Product | Version | |
|---|---|---|---|
| filamentphp | filament |
Affected:
>= 3.0.0, < 3.3.52
Affected: >= 5.0.0, < 5.6.5 Affected: >= 4.0.0, < 4.11.5 |
{
"containers": {
"adp": [
{
"metrics": [
{
"other": {
"content": {
"id": "CVE-2026-48500",
"options": [
{
"Exploitation": "none"
},
{
"Automatable": "yes"
},
{
"Technical Impact": "partial"
}
],
"role": "CISA Coordinator",
"timestamp": "2026-06-23T13:51:46.634712Z",
"version": "2.0.3"
},
"type": "ssvc"
}
}
],
"providerMetadata": {
"dateUpdated": "2026-06-23T13:52:57.578Z",
"orgId": "134c704f-9b21-4f2e-91b3-4a467353bcc0",
"shortName": "CISA-ADP"
},
"title": "CISA ADP Vulnrichment"
}
],
"cna": {
"affected": [
{
"product": "filament",
"vendor": "filamentphp",
"versions": [
{
"status": "affected",
"version": "\u003e= 3.0.0, \u003c 3.3.52"
},
{
"status": "affected",
"version": "\u003e= 5.0.0, \u003c 5.6.5"
},
{
"status": "affected",
"version": "\u003e= 4.0.0, \u003c 4.11.5"
}
]
}
],
"descriptions": [
{
"lang": "en",
"value": "Filament is a collection of full-stack components for accelerated Laravel development. From 3.0.0 until 3.3.52, 4.11.5, and 5.6.5, any schema can contain a file upload form field, so Filament applies Livewire\u0027s WithFileUploads trait to the Livewire component the schema is embedded in. However, some schemas, such as the panel login form, do not require file uploads, and exposing unauthenticated temporary file uploads on these components is not an acceptable risk. On these components, an unauthenticated attacker could upload arbitrary files to the application\u0027s temporary storage, which could be abused to exhaust disk space or inflate storage costs. This vulnerability is fixed in 3.3.52, 4.11.5, and 5.6.5."
}
],
"metrics": [
{
"cvssV3_1": {
"attackComplexity": "LOW",
"attackVector": "NETWORK",
"availabilityImpact": "LOW",
"baseScore": 6.5,
"baseSeverity": "MEDIUM",
"confidentialityImpact": "NONE",
"integrityImpact": "LOW",
"privilegesRequired": "NONE",
"scope": "UNCHANGED",
"userInteraction": "NONE",
"vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:L/A:L",
"version": "3.1"
}
}
],
"problemTypes": [
{
"descriptions": [
{
"cweId": "CWE-862",
"description": "CWE-862: Missing Authorization",
"lang": "en",
"type": "CWE"
}
]
}
],
"providerMetadata": {
"dateUpdated": "2026-06-22T21:41:17.776Z",
"orgId": "a0819718-46f1-4df5-94e2-005712e83aaa",
"shortName": "GitHub_M"
},
"references": [
{
"name": "https://github.com/filamentphp/filament/security/advisories/GHSA-44wp-g8f4-f4v5",
"tags": [
"x_refsource_CONFIRM"
],
"url": "https://github.com/filamentphp/filament/security/advisories/GHSA-44wp-g8f4-f4v5"
}
],
"source": {
"advisory": "GHSA-44wp-g8f4-f4v5",
"discovery": "UNKNOWN"
},
"title": "Filament: Unauthenticated temporary file upload on auth pages"
}
},
"cveMetadata": {
"assignerOrgId": "a0819718-46f1-4df5-94e2-005712e83aaa",
"assignerShortName": "GitHub_M",
"cveId": "CVE-2026-48500",
"datePublished": "2026-06-22T21:41:17.776Z",
"dateReserved": "2026-05-21T15:33:08.292Z",
"dateUpdated": "2026-06-23T13:52:57.578Z",
"state": "PUBLISHED"
},
"dataType": "CVE_RECORD",
"dataVersion": "5.2"
}
CVE-2026-48167 (GCVE-0-2026-48167)
Vulnerability from nvd – Published: 2026-06-22 21:43 – Updated: 2026-06-23 12:32
VLAI
Title
Filament: Unvalidated ImageColumn and ImageEntry values can be used for XSS
Summary
Filament is a collection of full-stack components for accelerated Laravel development. From 4.0.0 until 4.11.5 and 5.6.5, the ImageColumn and ImageEntry components render raw database values without escaping HTML. Where the data passed to these components isn't validated, an attacker could plant malicious HTML or JavaScript and achieve stored XSS that executes for users who view the table or schema. This vulnerability is fixed in 4.11.5 and 5.6.5.
Severity
6.4 (Medium)
SSVC
Exploitation: none
Automatable: no
Technical Impact: partial
CISA Coordinator (v2.0.3)
CWE
- CWE-79 - Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting')
Assigner
References
1 reference
| URL | Tags |
|---|---|
| https://github.com/filamentphp/filament/security/… | x_refsource_CONFIRM |
Impacted products
1 product
| Vendor | Product | Version | |
|---|---|---|---|
| filamentphp | filament |
Affected:
>= 4.0.0, < 4.11.5
Affected: >= 5.0.0, < 5.6.5 |
{
"containers": {
"adp": [
{
"metrics": [
{
"other": {
"content": {
"id": "CVE-2026-48167",
"options": [
{
"Exploitation": "none"
},
{
"Automatable": "no"
},
{
"Technical Impact": "partial"
}
],
"role": "CISA Coordinator",
"timestamp": "2026-06-23T12:31:17.201932Z",
"version": "2.0.3"
},
"type": "ssvc"
}
}
],
"providerMetadata": {
"dateUpdated": "2026-06-23T12:32:20.851Z",
"orgId": "134c704f-9b21-4f2e-91b3-4a467353bcc0",
"shortName": "CISA-ADP"
},
"title": "CISA ADP Vulnrichment"
}
],
"cna": {
"affected": [
{
"product": "filament",
"vendor": "filamentphp",
"versions": [
{
"status": "affected",
"version": "\u003e= 4.0.0, \u003c 4.11.5"
},
{
"status": "affected",
"version": "\u003e= 5.0.0, \u003c 5.6.5"
}
]
}
],
"descriptions": [
{
"lang": "en",
"value": "Filament is a collection of full-stack components for accelerated Laravel development. From 4.0.0 until 4.11.5 and 5.6.5, the ImageColumn and ImageEntry components render raw database values without escaping HTML. Where the data passed to these components isn\u0027t validated, an attacker could plant malicious HTML or JavaScript and achieve stored XSS that executes for users who view the table or schema. This vulnerability is fixed in 4.11.5 and 5.6.5."
}
],
"metrics": [
{
"cvssV3_1": {
"attackComplexity": "LOW",
"attackVector": "NETWORK",
"availabilityImpact": "NONE",
"baseScore": 6.4,
"baseSeverity": "MEDIUM",
"confidentialityImpact": "LOW",
"integrityImpact": "LOW",
"privilegesRequired": "LOW",
"scope": "CHANGED",
"userInteraction": "NONE",
"vectorString": "CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:C/C:L/I:L/A:N",
"version": "3.1"
}
}
],
"problemTypes": [
{
"descriptions": [
{
"cweId": "CWE-79",
"description": "CWE-79: Improper Neutralization of Input During Web Page Generation (\u0027Cross-site Scripting\u0027)",
"lang": "en",
"type": "CWE"
}
]
}
],
"providerMetadata": {
"dateUpdated": "2026-06-22T21:43:42.489Z",
"orgId": "a0819718-46f1-4df5-94e2-005712e83aaa",
"shortName": "GitHub_M"
},
"references": [
{
"name": "https://github.com/filamentphp/filament/security/advisories/GHSA-3fc8-8hp6-6jr4",
"tags": [
"x_refsource_CONFIRM"
],
"url": "https://github.com/filamentphp/filament/security/advisories/GHSA-3fc8-8hp6-6jr4"
}
],
"source": {
"advisory": "GHSA-3fc8-8hp6-6jr4",
"discovery": "UNKNOWN"
},
"title": "Filament: Unvalidated ImageColumn and ImageEntry values can be used for XSS"
}
},
"cveMetadata": {
"assignerOrgId": "a0819718-46f1-4df5-94e2-005712e83aaa",
"assignerShortName": "GitHub_M",
"cveId": "CVE-2026-48167",
"datePublished": "2026-06-22T21:43:42.489Z",
"dateReserved": "2026-05-20T23:12:43.032Z",
"dateUpdated": "2026-06-23T12:32:20.851Z",
"state": "PUBLISHED"
},
"dataType": "CVE_RECORD",
"dataVersion": "5.2"
}
CVE-2026-48166 (GCVE-0-2026-48166)
Vulnerability from nvd – Published: 2026-06-22 21:40 – Updated: 2026-06-23 12:29
VLAI
Title
Filament: Timing-based user enumeration on login page
Summary
Filament is a collection of full-stack components for accelerated Laravel development. From 4.0.0 until 4.11.5 and 5.6.5, the login page has an observable timing discrepancy that allows unauthenticated attackers to enumerate registered email addresses. The impact is limited to disclosing whether an account exists for a given email. This vulnerability is fixed in 4.11.5 and 5.6.5.
Severity
5.3 (Medium)
SSVC
Exploitation: none
Automatable: yes
Technical Impact: partial
CISA Coordinator (v2.0.3)
CWE
- CWE-208 - Observable Timing Discrepancy
Assigner
References
1 reference
| URL | Tags |
|---|---|
| https://github.com/filamentphp/filament/security/… | x_refsource_CONFIRM |
Impacted products
1 product
| Vendor | Product | Version | |
|---|---|---|---|
| filamentphp | filament |
Affected:
>= 4.0.0, < 4.11.5
Affected: >= 5.0.0, < 5.6.5 |
{
"containers": {
"adp": [
{
"metrics": [
{
"other": {
"content": {
"id": "CVE-2026-48166",
"options": [
{
"Exploitation": "none"
},
{
"Automatable": "yes"
},
{
"Technical Impact": "partial"
}
],
"role": "CISA Coordinator",
"timestamp": "2026-06-23T12:28:19.870932Z",
"version": "2.0.3"
},
"type": "ssvc"
}
}
],
"providerMetadata": {
"dateUpdated": "2026-06-23T12:29:33.902Z",
"orgId": "134c704f-9b21-4f2e-91b3-4a467353bcc0",
"shortName": "CISA-ADP"
},
"title": "CISA ADP Vulnrichment"
}
],
"cna": {
"affected": [
{
"product": "filament",
"vendor": "filamentphp",
"versions": [
{
"status": "affected",
"version": "\u003e= 4.0.0, \u003c 4.11.5"
},
{
"status": "affected",
"version": "\u003e= 5.0.0, \u003c 5.6.5"
}
]
}
],
"descriptions": [
{
"lang": "en",
"value": "Filament is a collection of full-stack components for accelerated Laravel development. From 4.0.0 until 4.11.5 and 5.6.5, the login page has an observable timing discrepancy that allows unauthenticated attackers to enumerate registered email addresses. The impact is limited to disclosing whether an account exists for a given email. This vulnerability is fixed in 4.11.5 and 5.6.5."
}
],
"metrics": [
{
"cvssV3_1": {
"attackComplexity": "LOW",
"attackVector": "NETWORK",
"availabilityImpact": "NONE",
"baseScore": 5.3,
"baseSeverity": "MEDIUM",
"confidentialityImpact": "LOW",
"integrityImpact": "NONE",
"privilegesRequired": "NONE",
"scope": "UNCHANGED",
"userInteraction": "NONE",
"vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:L/I:N/A:N",
"version": "3.1"
}
}
],
"problemTypes": [
{
"descriptions": [
{
"cweId": "CWE-208",
"description": "CWE-208: Observable Timing Discrepancy",
"lang": "en",
"type": "CWE"
}
]
}
],
"providerMetadata": {
"dateUpdated": "2026-06-22T21:42:37.340Z",
"orgId": "a0819718-46f1-4df5-94e2-005712e83aaa",
"shortName": "GitHub_M"
},
"references": [
{
"name": "https://github.com/filamentphp/filament/security/advisories/GHSA-5w46-g9pq-wh6f",
"tags": [
"x_refsource_CONFIRM"
],
"url": "https://github.com/filamentphp/filament/security/advisories/GHSA-5w46-g9pq-wh6f"
}
],
"source": {
"advisory": "GHSA-5w46-g9pq-wh6f",
"discovery": "UNKNOWN"
},
"title": "Filament: Timing-based user enumeration on login page"
}
},
"cveMetadata": {
"assignerOrgId": "a0819718-46f1-4df5-94e2-005712e83aaa",
"assignerShortName": "GitHub_M",
"cveId": "CVE-2026-48166",
"datePublished": "2026-06-22T21:40:01.897Z",
"dateReserved": "2026-05-20T23:12:43.032Z",
"dateUpdated": "2026-06-23T12:29:33.902Z",
"state": "PUBLISHED"
},
"dataType": "CVE_RECORD",
"dataVersion": "5.2"
}
CVE-2026-48067 (GCVE-0-2026-48067)
Vulnerability from nvd – Published: 2026-06-22 21:46 – Updated: 2026-06-23 14:29
VLAI
Title
Filament: Inconsistent scope enforcement for AttachAction and AssociateAction Select fields
Summary
Filament is a collection of full-stack components for accelerated Laravel development. From filament/actions 4.0.0 until 4.11.4 and 5.6.4 and from filament/tables 3.0.0 until 3.3.51, the recordSelectOptionsQuery() method may be used to scope the options available in the Select field for AttachAction and AssociateAction. However, the built-in validation rule for these fields did not apply the same scope. As a result, a user who can trigger these actions could tamper with the Livewire component's state and submit an out-of-scope value. This vulnerability is fixed in filament/actions 4.11.4 and 5.6.4 and filament/tables 3.3.51.
Severity
6.5 (Medium)
SSVC
Exploitation: none
Automatable: no
Technical Impact: partial
CISA Coordinator (v2.0.3)
CWE
- CWE-639 - Authorization Bypass Through User-Controlled Key
Assigner
References
1 reference
| URL | Tags |
|---|---|
| https://github.com/filamentphp/filament/security/… | x_refsource_CONFIRM |
Impacted products
1 product
| Vendor | Product | Version | |
|---|---|---|---|
| filamentphp | filament |
Affected:
>= 4.0.0, < 4.11.4
Affected: >= 5.0.0, < 5.6.4 Affected: >= 3.0.0, < 3.3.51 |
{
"containers": {
"adp": [
{
"metrics": [
{
"other": {
"content": {
"id": "CVE-2026-48067",
"options": [
{
"Exploitation": "none"
},
{
"Automatable": "no"
},
{
"Technical Impact": "partial"
}
],
"role": "CISA Coordinator",
"timestamp": "2026-06-23T14:29:10.944113Z",
"version": "2.0.3"
},
"type": "ssvc"
}
}
],
"providerMetadata": {
"dateUpdated": "2026-06-23T14:29:20.932Z",
"orgId": "134c704f-9b21-4f2e-91b3-4a467353bcc0",
"shortName": "CISA-ADP"
},
"title": "CISA ADP Vulnrichment"
}
],
"cna": {
"affected": [
{
"product": "filament",
"vendor": "filamentphp",
"versions": [
{
"status": "affected",
"version": "\u003e= 4.0.0, \u003c 4.11.4"
},
{
"status": "affected",
"version": "\u003e= 5.0.0, \u003c 5.6.4"
},
{
"status": "affected",
"version": "\u003e= 3.0.0, \u003c 3.3.51"
}
]
}
],
"descriptions": [
{
"lang": "en",
"value": "Filament is a collection of full-stack components for accelerated Laravel development. From filament/actions 4.0.0 until 4.11.4 and 5.6.4 and from filament/tables 3.0.0 until 3.3.51, the recordSelectOptionsQuery() method may be used to scope the options available in the Select field for AttachAction and AssociateAction. However, the built-in validation rule for these fields did not apply the same scope. As a result, a user who can trigger these actions could tamper with the Livewire component\u0027s state and submit an out-of-scope value. This vulnerability is fixed in filament/actions 4.11.4 and 5.6.4 and filament/tables 3.3.51."
}
],
"metrics": [
{
"cvssV3_1": {
"attackComplexity": "LOW",
"attackVector": "NETWORK",
"availabilityImpact": "NONE",
"baseScore": 6.5,
"baseSeverity": "MEDIUM",
"confidentialityImpact": "NONE",
"integrityImpact": "HIGH",
"privilegesRequired": "LOW",
"scope": "UNCHANGED",
"userInteraction": "NONE",
"vectorString": "CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:N/I:H/A:N",
"version": "3.1"
}
}
],
"problemTypes": [
{
"descriptions": [
{
"cweId": "CWE-639",
"description": "CWE-639: Authorization Bypass Through User-Controlled Key",
"lang": "en",
"type": "CWE"
}
]
}
],
"providerMetadata": {
"dateUpdated": "2026-06-22T21:46:27.323Z",
"orgId": "a0819718-46f1-4df5-94e2-005712e83aaa",
"shortName": "GitHub_M"
},
"references": [
{
"name": "https://github.com/filamentphp/filament/security/advisories/GHSA-7q3w-xqjw-g3cr",
"tags": [
"x_refsource_CONFIRM"
],
"url": "https://github.com/filamentphp/filament/security/advisories/GHSA-7q3w-xqjw-g3cr"
}
],
"source": {
"advisory": "GHSA-7q3w-xqjw-g3cr",
"discovery": "UNKNOWN"
},
"title": "Filament: Inconsistent scope enforcement for AttachAction and AssociateAction Select fields"
}
},
"cveMetadata": {
"assignerOrgId": "a0819718-46f1-4df5-94e2-005712e83aaa",
"assignerShortName": "GitHub_M",
"cveId": "CVE-2026-48067",
"datePublished": "2026-06-22T21:46:27.323Z",
"dateReserved": "2026-05-20T18:25:25.707Z",
"dateUpdated": "2026-06-23T14:29:20.932Z",
"state": "PUBLISHED"
},
"dataType": "CVE_RECORD",
"dataVersion": "5.2"
}
CVE-2026-33080 (GCVE-0-2026-33080)
Vulnerability from nvd – Published: 2026-03-20 08:58 – Updated: 2026-03-25 13:46
VLAI
Title
Filament: Unvalidated Range and Values summarizer values can be used for XSS
Summary
Filament is a collection of full-stack components for accelerated Laravel development. Versions 4.0.0 through 4.8.4 and 5.0.0 through 5.3.4 have two Filament Table summarizers (Range, Values) that render raw database values without escaping HTML. If there is a lack of validation for the data in the columns that use these summarizers, an attacker could plant malicious HTML / JavaScript and achieve stored XSS that executes for users who view the table with those summarizers. This issue has been patched in versions 4.8.5 and 5.3.5.
Severity
7.3 (High)
SSVC
Exploitation: none
Automatable: no
Technical Impact: partial
CISA Coordinator (v2.0.3)
CWE
Assigner
References
4 references
| URL | Tags |
|---|---|
| https://github.com/filamentphp/filament/security/… | x_refsource_CONFIRM |
| https://github.com/filamentphp/filament/commit/ef… | x_refsource_MISC |
| https://github.com/filamentphp/filament/releases/… | x_refsource_MISC |
| https://github.com/filamentphp/filament/releases/… | x_refsource_MISC |
Impacted products
1 product
| Vendor | Product | Version | |
|---|---|---|---|
| filamentphp | filament |
Affected:
>= 4.0.0, < 4.8.5
Affected: >= 5.0.0, < 5.3.5 |
{
"containers": {
"adp": [
{
"metrics": [
{
"other": {
"content": {
"id": "CVE-2026-33080",
"options": [
{
"Exploitation": "none"
},
{
"Automatable": "no"
},
{
"Technical Impact": "partial"
}
],
"role": "CISA Coordinator",
"timestamp": "2026-03-25T13:44:22.834939Z",
"version": "2.0.3"
},
"type": "ssvc"
}
}
],
"providerMetadata": {
"dateUpdated": "2026-03-25T13:46:27.561Z",
"orgId": "134c704f-9b21-4f2e-91b3-4a467353bcc0",
"shortName": "CISA-ADP"
},
"title": "CISA ADP Vulnrichment"
}
],
"cna": {
"affected": [
{
"product": "filament",
"vendor": "filamentphp",
"versions": [
{
"status": "affected",
"version": "\u003e= 4.0.0, \u003c 4.8.5"
},
{
"status": "affected",
"version": "\u003e= 5.0.0, \u003c 5.3.5"
}
]
}
],
"descriptions": [
{
"lang": "en",
"value": "Filament is a collection of full-stack components for accelerated Laravel development. Versions 4.0.0 through 4.8.4 and 5.0.0 through 5.3.4 have two Filament Table summarizers (Range, Values) that render raw database values without escaping HTML. If there is a lack of validation for the data in the columns that use these summarizers, an attacker could plant malicious HTML / JavaScript and achieve stored XSS that executes for users who view the table with those summarizers. This issue has been patched in versions 4.8.5 and 5.3.5."
}
],
"metrics": [
{
"cvssV3_1": {
"attackComplexity": "LOW",
"attackVector": "NETWORK",
"availabilityImpact": "NONE",
"baseScore": 7.3,
"baseSeverity": "HIGH",
"confidentialityImpact": "HIGH",
"integrityImpact": "HIGH",
"privilegesRequired": "LOW",
"scope": "UNCHANGED",
"userInteraction": "REQUIRED",
"vectorString": "CVSS:3.1/AV:N/AC:L/PR:L/UI:R/S:U/C:H/I:H/A:N",
"version": "3.1"
}
}
],
"problemTypes": [
{
"descriptions": [
{
"cweId": "CWE-79",
"description": "CWE-79: Improper Neutralization of Input During Web Page Generation (\u0027Cross-site Scripting\u0027)",
"lang": "en",
"type": "CWE"
}
]
},
{
"descriptions": [
{
"cweId": "CWE-80",
"description": "CWE-80: Improper Neutralization of Script-Related HTML Tags in a Web Page (Basic XSS)",
"lang": "en",
"type": "CWE"
}
]
}
],
"providerMetadata": {
"dateUpdated": "2026-03-20T08:58:45.360Z",
"orgId": "a0819718-46f1-4df5-94e2-005712e83aaa",
"shortName": "GitHub_M"
},
"references": [
{
"name": "https://github.com/filamentphp/filament/security/advisories/GHSA-vv3x-j2x5-36jc",
"tags": [
"x_refsource_CONFIRM"
],
"url": "https://github.com/filamentphp/filament/security/advisories/GHSA-vv3x-j2x5-36jc"
},
{
"name": "https://github.com/filamentphp/filament/commit/efa041aeeb4b1a99acd48aaa05584993c926d1ed",
"tags": [
"x_refsource_MISC"
],
"url": "https://github.com/filamentphp/filament/commit/efa041aeeb4b1a99acd48aaa05584993c926d1ed"
},
{
"name": "https://github.com/filamentphp/filament/releases/tag/v4.8.5",
"tags": [
"x_refsource_MISC"
],
"url": "https://github.com/filamentphp/filament/releases/tag/v4.8.5"
},
{
"name": "https://github.com/filamentphp/filament/releases/tag/v5.3.5",
"tags": [
"x_refsource_MISC"
],
"url": "https://github.com/filamentphp/filament/releases/tag/v5.3.5"
}
],
"source": {
"advisory": "GHSA-vv3x-j2x5-36jc",
"discovery": "UNKNOWN"
},
"title": "Filament: Unvalidated Range and Values summarizer values can be used for XSS"
}
},
"cveMetadata": {
"assignerOrgId": "a0819718-46f1-4df5-94e2-005712e83aaa",
"assignerShortName": "GitHub_M",
"cveId": "CVE-2026-33080",
"datePublished": "2026-03-20T08:58:45.360Z",
"dateReserved": "2026-03-17T19:27:06.345Z",
"dateUpdated": "2026-03-25T13:46:27.561Z",
"state": "PUBLISHED"
},
"dataType": "CVE_RECORD",
"dataVersion": "5.2"
}
CVE-2025-67507 (GCVE-0-2025-67507)
Vulnerability from nvd – Published: 2025-12-10 00:43 – Updated: 2025-12-10 15:28
VLAI
Title
Filament's multi-factor authentication (app) recovery codes can be used multiple times
Summary
Filament is a collection of full-stack components for accelerated Laravel development. Versions 4.0.0 through 4.3.0 contain a flaw in the handling of recovery codes for app-based multi-factor authentication, allowing the same recovery code to be reused indefinitely. This issue does not affect email-based MFA. It also only applies when recovery codes are enabled. This issue is fixed in version 4.3.1.
Severity
8.1 (High)
SSVC
Exploitation: none
Automatable: no
Technical Impact: total
CISA Coordinator (v2.0.3)
CWE
Assigner
References
2 references
| URL | Tags |
|---|---|
| https://github.com/filamentphp/filament/security/… | x_refsource_CONFIRM |
| https://github.com/filamentphp/filament/commit/87… | x_refsource_MISC |
Impacted products
1 product
| Vendor | Product | Version | |
|---|---|---|---|
| filamentphp | filament |
Affected:
>= 4.0.0, < 4.3.1
|
{
"containers": {
"adp": [
{
"metrics": [
{
"other": {
"content": {
"id": "CVE-2025-67507",
"options": [
{
"Exploitation": "none"
},
{
"Automatable": "no"
},
{
"Technical Impact": "total"
}
],
"role": "CISA Coordinator",
"timestamp": "2025-12-10T15:26:20.803891Z",
"version": "2.0.3"
},
"type": "ssvc"
}
}
],
"providerMetadata": {
"dateUpdated": "2025-12-10T15:28:12.222Z",
"orgId": "134c704f-9b21-4f2e-91b3-4a467353bcc0",
"shortName": "CISA-ADP"
},
"title": "CISA ADP Vulnrichment"
}
],
"cna": {
"affected": [
{
"product": "filament",
"vendor": "filamentphp",
"versions": [
{
"status": "affected",
"version": "\u003e= 4.0.0, \u003c 4.3.1"
}
]
}
],
"descriptions": [
{
"lang": "en",
"value": "Filament is a collection of full-stack components for accelerated Laravel development. Versions 4.0.0 through 4.3.0 contain a flaw in the handling of recovery codes for app-based multi-factor authentication, allowing the same recovery code to be reused indefinitely. This issue does not affect email-based MFA. It also only applies when recovery codes are enabled. This issue is fixed in version 4.3.1."
}
],
"metrics": [
{
"cvssV3_1": {
"attackComplexity": "HIGH",
"attackVector": "NETWORK",
"availabilityImpact": "HIGH",
"baseScore": 8.1,
"baseSeverity": "HIGH",
"confidentialityImpact": "HIGH",
"integrityImpact": "HIGH",
"privilegesRequired": "NONE",
"scope": "UNCHANGED",
"userInteraction": "NONE",
"vectorString": "CVSS:3.1/AV:N/AC:H/PR:N/UI:N/S:U/C:H/I:H/A:H",
"version": "3.1"
}
}
],
"problemTypes": [
{
"descriptions": [
{
"cweId": "CWE-287",
"description": "CWE-287: Improper Authentication",
"lang": "en",
"type": "CWE"
}
]
},
{
"descriptions": [
{
"cweId": "CWE-288",
"description": "CWE-288: Authentication Bypass Using an Alternate Path or Channel",
"lang": "en",
"type": "CWE"
}
]
}
],
"providerMetadata": {
"dateUpdated": "2025-12-10T00:43:06.855Z",
"orgId": "a0819718-46f1-4df5-94e2-005712e83aaa",
"shortName": "GitHub_M"
},
"references": [
{
"name": "https://github.com/filamentphp/filament/security/advisories/GHSA-pvcv-q3q7-266g",
"tags": [
"x_refsource_CONFIRM"
],
"url": "https://github.com/filamentphp/filament/security/advisories/GHSA-pvcv-q3q7-266g"
},
{
"name": "https://github.com/filamentphp/filament/commit/87ff60ad9b6e16d4e14ee36a220b8917dd7b0815",
"tags": [
"x_refsource_MISC"
],
"url": "https://github.com/filamentphp/filament/commit/87ff60ad9b6e16d4e14ee36a220b8917dd7b0815"
}
],
"source": {
"advisory": "GHSA-pvcv-q3q7-266g",
"discovery": "UNKNOWN"
},
"title": "Filament\u0027s multi-factor authentication (app) recovery codes can be used multiple times"
}
},
"cveMetadata": {
"assignerOrgId": "a0819718-46f1-4df5-94e2-005712e83aaa",
"assignerShortName": "GitHub_M",
"cveId": "CVE-2025-67507",
"datePublished": "2025-12-10T00:43:06.855Z",
"dateReserved": "2025-12-08T21:36:28.780Z",
"dateUpdated": "2025-12-10T15:28:12.222Z",
"state": "PUBLISHED"
},
"dataType": "CVE_RECORD",
"dataVersion": "5.2"
}
CVE-2024-51758 (GCVE-0-2024-51758)
Vulnerability from nvd – Published: 2024-11-07 17:46 – Updated: 2024-11-21 16:23
VLAI
Title
Exported files stored in default (`public`) filesystem if not reconfigured in filament
Summary
Filament is a collection of full-stack components for accelerated Laravel development. All Filament features that interact with storage use the `default_filesystem_disk` config option. This allows the user to easily swap their storage driver to something production-ready like `s3` when deploying their app, without having to touch multiple configuration options and potentially forgetting about some. The default disk is set to `public` when you first install Filament, since this allows users to quickly get started developing with a functional disk that allows features such as file upload previews locally without the need to set up an S3 disk with temporary URL support. However, some features of Filament such as exports also rely on storage, and the files that are stored contain data that should often not be public. This is not an issue for the many deployed applications, since many use a secure default disk such as S3 in production. However, [CWE-1188](https://cwe.mitre.org/data/definitions/1188.html) suggests that having the `public` disk as the default disk in Filament is a security vulnerability itself. As such, we have implemented a measure to protect users whereby if the `public` disk is set as the default disk, the exports feature will automatically swap it out for the `local` disk, if that exists. Users who set the default disk to `local` or `s3` already are not affected. If a user wants to continue to use the `public` disk for exports, they can by setting the export disk deliberately. This change has been included in the 3.2.123 release and all users who use the `public` disk are advised to upgrade.
Severity
SSVC
Exploitation: poc
Automatable: no
Technical Impact: partial
CISA Coordinator (v2.0.3)
CWE
- CWE-1188 - Insecure Default Initialization of Resource
Assigner
References
2 references
| URL | Tags |
|---|---|
| https://github.com/filamentphp/filament/security/… | x_refsource_CONFIRM |
| https://filamentphp.com/docs/3.x/actions/prebuilt… | x_refsource_MISC |
Impacted products
2 products
| Vendor | Product | Version | |
|---|---|---|---|
| filamentphp | filament |
Affected:
>= 3.2.0, < 3.2.123
|
|
| filament | excel_export |
Affected:
0 , ≤ 3.2.0
(custom)
Affected: 0 , < 3.2.123 (custom) cpe:2.3:a:filament:excel_export:*:*:*:*:*:*:*:* |
{
"containers": {
"adp": [
{
"affected": [
{
"cpes": [
"cpe:2.3:a:filament:excel_export:*:*:*:*:*:*:*:*"
],
"defaultStatus": "unknown",
"product": "excel_export",
"vendor": "filament",
"versions": [
{
"lessThanOrEqual": "3.2.0",
"status": "affected",
"version": "0",
"versionType": "custom"
},
{
"lessThan": "3.2.123",
"status": "affected",
"version": "0",
"versionType": "custom"
}
]
}
],
"metrics": [
{
"other": {
"content": {
"id": "CVE-2024-51758",
"options": [
{
"Exploitation": "poc"
},
{
"Automatable": "no"
},
{
"Technical Impact": "partial"
}
],
"role": "CISA Coordinator",
"timestamp": "2024-11-07T19:21:37.525972Z",
"version": "2.0.3"
},
"type": "ssvc"
}
}
],
"providerMetadata": {
"dateUpdated": "2024-11-21T16:23:23.083Z",
"orgId": "134c704f-9b21-4f2e-91b3-4a467353bcc0",
"shortName": "CISA-ADP"
},
"title": "CISA ADP Vulnrichment"
}
],
"cna": {
"affected": [
{
"product": "filament",
"vendor": "filamentphp",
"versions": [
{
"status": "affected",
"version": "\u003e= 3.2.0, \u003c 3.2.123"
}
]
}
],
"descriptions": [
{
"lang": "en",
"value": "Filament is a collection of full-stack components for accelerated Laravel development. All Filament features that interact with storage use the `default_filesystem_disk` config option. This allows the user to easily swap their storage driver to something production-ready like `s3` when deploying their app, without having to touch multiple configuration options and potentially forgetting about some. The default disk is set to `public` when you first install Filament, since this allows users to quickly get started developing with a functional disk that allows features such as file upload previews locally without the need to set up an S3 disk with temporary URL support. However, some features of Filament such as exports also rely on storage, and the files that are stored contain data that should often not be public. This is not an issue for the many deployed applications, since many use a secure default disk such as S3 in production. However, [CWE-1188](https://cwe.mitre.org/data/definitions/1188.html) suggests that having the `public` disk as the default disk in Filament is a security vulnerability itself. As such, we have implemented a measure to protect users whereby if the `public` disk is set as the default disk, the exports feature will automatically swap it out for the `local` disk, if that exists. Users who set the default disk to `local` or `s3` already are not affected. If a user wants to continue to use the `public` disk for exports, they can by setting the export disk deliberately. This change has been included in the 3.2.123 release and all users who use the `public` disk are advised to upgrade."
}
],
"metrics": [
{
"cvssV4_0": {
"attackComplexity": "LOW",
"attackRequirements": "PRESENT",
"attackVector": "NETWORK",
"baseScore": 2.3,
"baseSeverity": "LOW",
"privilegesRequired": "NONE",
"subAvailabilityImpact": "NONE",
"subConfidentialityImpact": "LOW",
"subIntegrityImpact": "NONE",
"userInteraction": "PASSIVE",
"vectorString": "CVSS:4.0/AV:N/AC:L/AT:P/PR:N/UI:P/VC:L/VI:N/VA:N/SC:L/SI:N/SA:N",
"version": "4.0",
"vulnAvailabilityImpact": "NONE",
"vulnConfidentialityImpact": "LOW",
"vulnIntegrityImpact": "NONE"
}
}
],
"problemTypes": [
{
"descriptions": [
{
"cweId": "CWE-1188",
"description": "CWE-1188: Insecure Default Initialization of Resource",
"lang": "en",
"type": "CWE"
}
]
}
],
"providerMetadata": {
"dateUpdated": "2024-11-19T13:22:40.970Z",
"orgId": "a0819718-46f1-4df5-94e2-005712e83aaa",
"shortName": "GitHub_M"
},
"references": [
{
"name": "https://github.com/filamentphp/filament/security/advisories/GHSA-4hxw-gc2q-f6f3",
"tags": [
"x_refsource_CONFIRM"
],
"url": "https://github.com/filamentphp/filament/security/advisories/GHSA-4hxw-gc2q-f6f3"
},
{
"name": "https://filamentphp.com/docs/3.x/actions/prebuilt-actions/export#customizing-the-storage-disk",
"tags": [
"x_refsource_MISC"
],
"url": "https://filamentphp.com/docs/3.x/actions/prebuilt-actions/export#customizing-the-storage-disk"
}
],
"source": {
"advisory": "GHSA-4hxw-gc2q-f6f3",
"discovery": "UNKNOWN"
},
"title": "Exported files stored in default (`public`) filesystem if not reconfigured in filament"
}
},
"cveMetadata": {
"assignerOrgId": "a0819718-46f1-4df5-94e2-005712e83aaa",
"assignerShortName": "GitHub_M",
"cveId": "CVE-2024-51758",
"datePublished": "2024-11-07T17:46:36.151Z",
"dateReserved": "2024-10-31T14:12:45.792Z",
"dateUpdated": "2024-11-21T16:23:23.083Z",
"state": "PUBLISHED"
},
"dataType": "CVE_RECORD",
"dataVersion": "5.1"
}
CVE-2024-47186 (GCVE-0-2024-47186)
Vulnerability from nvd – Published: 2024-09-27 21:04 – Updated: 2024-09-27 21:56
VLAI
Title
Filament has unvalidated ColorColumn and ColorEntry values that can be used for Cross-site Scripting
Summary
Filament is a collection of full-stack components for Laravel development. Versions of Filament from v3.0.0 through v3.2.114 are affected by a cross-site scripting (XSS) vulnerability. If values passed to a `ColorColumn` or `ColumnEntry` are not valid and contain a specific set of characters, applications are vulnerable to XSS attack against a user who opens a page on which a color column or entry is rendered. Filament v3.2.115 fixes this issue.
Severity
6.1 (Medium)
SSVC
Exploitation: none
Automatable: no
Technical Impact: partial
CISA Coordinator (v2.0.3)
CWE
- CWE-79 - Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting')
Assigner
References
3 references
| URL | Tags |
|---|---|
| https://github.com/filamentphp/filament/security/… | x_refsource_CONFIRM |
| https://github.com/filamentphp/filament/commit/df… | x_refsource_MISC |
| https://github.com/filamentphp/filament/releases/… | x_refsource_MISC |
Impacted products
1 product
| Vendor | Product | Version | |
|---|---|---|---|
| filamentphp | filament |
Affected:
>= 3.0.0, < 3.2.115
|
{
"containers": {
"adp": [
{
"metrics": [
{
"other": {
"content": {
"id": "CVE-2024-47186",
"options": [
{
"Exploitation": "none"
},
{
"Automatable": "no"
},
{
"Technical Impact": "partial"
}
],
"role": "CISA Coordinator",
"timestamp": "2024-09-27T21:55:24.935420Z",
"version": "2.0.3"
},
"type": "ssvc"
}
}
],
"providerMetadata": {
"dateUpdated": "2024-09-27T21:56:30.280Z",
"orgId": "134c704f-9b21-4f2e-91b3-4a467353bcc0",
"shortName": "CISA-ADP"
},
"title": "CISA ADP Vulnrichment"
}
],
"cna": {
"affected": [
{
"product": "filament",
"vendor": "filamentphp",
"versions": [
{
"status": "affected",
"version": "\u003e= 3.0.0, \u003c 3.2.115"
}
]
}
],
"descriptions": [
{
"lang": "en",
"value": "Filament is a collection of full-stack components for Laravel development. Versions of Filament from v3.0.0 through v3.2.114 are affected by a cross-site scripting (XSS) vulnerability. If values passed to a `ColorColumn` or `ColumnEntry` are not valid and contain a specific set of characters, applications are vulnerable to XSS attack against a user who opens a page on which a color column or entry is rendered. Filament v3.2.115 fixes this issue."
}
],
"metrics": [
{
"cvssV3_1": {
"attackComplexity": "LOW",
"attackVector": "NETWORK",
"availabilityImpact": "NONE",
"baseScore": 6.1,
"baseSeverity": "MEDIUM",
"confidentialityImpact": "LOW",
"integrityImpact": "LOW",
"privilegesRequired": "NONE",
"scope": "CHANGED",
"userInteraction": "REQUIRED",
"vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:C/C:L/I:L/A:N",
"version": "3.1"
}
}
],
"problemTypes": [
{
"descriptions": [
{
"cweId": "CWE-79",
"description": "CWE-79: Improper Neutralization of Input During Web Page Generation (\u0027Cross-site Scripting\u0027)",
"lang": "en",
"type": "CWE"
}
]
}
],
"providerMetadata": {
"dateUpdated": "2024-09-27T21:04:33.587Z",
"orgId": "a0819718-46f1-4df5-94e2-005712e83aaa",
"shortName": "GitHub_M"
},
"references": [
{
"name": "https://github.com/filamentphp/filament/security/advisories/GHSA-9h9q-qhxg-89xr",
"tags": [
"x_refsource_CONFIRM"
],
"url": "https://github.com/filamentphp/filament/security/advisories/GHSA-9h9q-qhxg-89xr"
},
{
"name": "https://github.com/filamentphp/filament/commit/df7989352464d08eda5837ef50f9997fad902316",
"tags": [
"x_refsource_MISC"
],
"url": "https://github.com/filamentphp/filament/commit/df7989352464d08eda5837ef50f9997fad902316"
},
{
"name": "https://github.com/filamentphp/filament/releases/tag/v3.2.115",
"tags": [
"x_refsource_MISC"
],
"url": "https://github.com/filamentphp/filament/releases/tag/v3.2.115"
}
],
"source": {
"advisory": "GHSA-9h9q-qhxg-89xr",
"discovery": "UNKNOWN"
},
"title": "Filament has unvalidated ColorColumn and ColorEntry values that can be used for Cross-site Scripting"
}
},
"cveMetadata": {
"assignerOrgId": "a0819718-46f1-4df5-94e2-005712e83aaa",
"assignerShortName": "GitHub_M",
"cveId": "CVE-2024-47186",
"datePublished": "2024-09-27T21:04:33.587Z",
"dateReserved": "2024-09-19T22:32:11.963Z",
"dateUpdated": "2024-09-27T21:56:30.280Z",
"state": "PUBLISHED"
},
"dataType": "CVE_RECORD",
"dataVersion": "5.1"
}
CVE-2026-55409 (GCVE-0-2026-55409)
Vulnerability from cvelistv5 – Published: 2026-06-22 21:47 – Updated: 2026-06-23 12:15
VLAI
Title
Filament: Disabled RichEditor field state can be used for XSS
Summary
Filament is a collection of full-stack components for accelerated Laravel development. From 3.0.0 until 3.3.53, a disabled RichEditor field rendered its raw state without sanitizing HTML. Where the data stored in this field's state isn't sanitized already when the form state was filled, an attacker could plant malicious HTML or JavaScript and achieve XSS that executes for users who view the form. This vulnerability is fixed in 3.3.53.
Severity
7.6 (High)
SSVC
Exploitation: none
Automatable: no
Technical Impact: partial
CISA Coordinator (v2.0.3)
CWE
- CWE-79 - Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting')
Assigner
References
1 reference
| URL | Tags |
|---|---|
| https://github.com/filamentphp/filament/security/… | x_refsource_CONFIRM |
Impacted products
1 product
| Vendor | Product | Version | |
|---|---|---|---|
| filamentphp | filament |
Affected:
>= 3.0.0, < 3.3.53
|
{
"containers": {
"adp": [
{
"metrics": [
{
"other": {
"content": {
"id": "CVE-2026-55409",
"options": [
{
"Exploitation": "none"
},
{
"Automatable": "no"
},
{
"Technical Impact": "partial"
}
],
"role": "CISA Coordinator",
"timestamp": "2026-06-23T12:14:53.175913Z",
"version": "2.0.3"
},
"type": "ssvc"
}
}
],
"providerMetadata": {
"dateUpdated": "2026-06-23T12:15:00.867Z",
"orgId": "134c704f-9b21-4f2e-91b3-4a467353bcc0",
"shortName": "CISA-ADP"
},
"title": "CISA ADP Vulnrichment"
}
],
"cna": {
"affected": [
{
"product": "filament",
"vendor": "filamentphp",
"versions": [
{
"status": "affected",
"version": "\u003e= 3.0.0, \u003c 3.3.53"
}
]
}
],
"descriptions": [
{
"lang": "en",
"value": "Filament is a collection of full-stack components for accelerated Laravel development. From 3.0.0 until 3.3.53, a disabled RichEditor field rendered its raw state without sanitizing HTML. Where the data stored in this field\u0027s state isn\u0027t sanitized already when the form state was filled, an attacker could plant malicious HTML or JavaScript and achieve XSS that executes for users who view the form. This vulnerability is fixed in 3.3.53."
}
],
"metrics": [
{
"cvssV3_1": {
"attackComplexity": "LOW",
"attackVector": "NETWORK",
"availabilityImpact": "NONE",
"baseScore": 7.6,
"baseSeverity": "HIGH",
"confidentialityImpact": "HIGH",
"integrityImpact": "LOW",
"privilegesRequired": "LOW",
"scope": "CHANGED",
"userInteraction": "REQUIRED",
"vectorString": "CVSS:3.1/AV:N/AC:L/PR:L/UI:R/S:C/C:H/I:L/A:N",
"version": "3.1"
}
}
],
"problemTypes": [
{
"descriptions": [
{
"cweId": "CWE-79",
"description": "CWE-79: Improper Neutralization of Input During Web Page Generation (\u0027Cross-site Scripting\u0027)",
"lang": "en",
"type": "CWE"
}
]
}
],
"providerMetadata": {
"dateUpdated": "2026-06-22T21:47:51.607Z",
"orgId": "a0819718-46f1-4df5-94e2-005712e83aaa",
"shortName": "GitHub_M"
},
"references": [
{
"name": "https://github.com/filamentphp/filament/security/advisories/GHSA-m9cv-24rx-8mv7",
"tags": [
"x_refsource_CONFIRM"
],
"url": "https://github.com/filamentphp/filament/security/advisories/GHSA-m9cv-24rx-8mv7"
}
],
"source": {
"advisory": "GHSA-m9cv-24rx-8mv7",
"discovery": "UNKNOWN"
},
"title": "Filament: Disabled RichEditor field state can be used for XSS"
}
},
"cveMetadata": {
"assignerOrgId": "a0819718-46f1-4df5-94e2-005712e83aaa",
"assignerShortName": "GitHub_M",
"cveId": "CVE-2026-55409",
"datePublished": "2026-06-22T21:47:51.607Z",
"dateReserved": "2026-06-16T21:48:43.124Z",
"dateUpdated": "2026-06-23T12:15:00.867Z",
"state": "PUBLISHED"
},
"dataType": "CVE_RECORD",
"dataVersion": "5.2"
}
CVE-2026-48067 (GCVE-0-2026-48067)
Vulnerability from cvelistv5 – Published: 2026-06-22 21:46 – Updated: 2026-06-23 14:29
VLAI
Title
Filament: Inconsistent scope enforcement for AttachAction and AssociateAction Select fields
Summary
Filament is a collection of full-stack components for accelerated Laravel development. From filament/actions 4.0.0 until 4.11.4 and 5.6.4 and from filament/tables 3.0.0 until 3.3.51, the recordSelectOptionsQuery() method may be used to scope the options available in the Select field for AttachAction and AssociateAction. However, the built-in validation rule for these fields did not apply the same scope. As a result, a user who can trigger these actions could tamper with the Livewire component's state and submit an out-of-scope value. This vulnerability is fixed in filament/actions 4.11.4 and 5.6.4 and filament/tables 3.3.51.
Severity
6.5 (Medium)
SSVC
Exploitation: none
Automatable: no
Technical Impact: partial
CISA Coordinator (v2.0.3)
CWE
- CWE-639 - Authorization Bypass Through User-Controlled Key
Assigner
References
1 reference
| URL | Tags |
|---|---|
| https://github.com/filamentphp/filament/security/… | x_refsource_CONFIRM |
Impacted products
1 product
| Vendor | Product | Version | |
|---|---|---|---|
| filamentphp | filament |
Affected:
>= 4.0.0, < 4.11.4
Affected: >= 5.0.0, < 5.6.4 Affected: >= 3.0.0, < 3.3.51 |
{
"containers": {
"adp": [
{
"metrics": [
{
"other": {
"content": {
"id": "CVE-2026-48067",
"options": [
{
"Exploitation": "none"
},
{
"Automatable": "no"
},
{
"Technical Impact": "partial"
}
],
"role": "CISA Coordinator",
"timestamp": "2026-06-23T14:29:10.944113Z",
"version": "2.0.3"
},
"type": "ssvc"
}
}
],
"providerMetadata": {
"dateUpdated": "2026-06-23T14:29:20.932Z",
"orgId": "134c704f-9b21-4f2e-91b3-4a467353bcc0",
"shortName": "CISA-ADP"
},
"title": "CISA ADP Vulnrichment"
}
],
"cna": {
"affected": [
{
"product": "filament",
"vendor": "filamentphp",
"versions": [
{
"status": "affected",
"version": "\u003e= 4.0.0, \u003c 4.11.4"
},
{
"status": "affected",
"version": "\u003e= 5.0.0, \u003c 5.6.4"
},
{
"status": "affected",
"version": "\u003e= 3.0.0, \u003c 3.3.51"
}
]
}
],
"descriptions": [
{
"lang": "en",
"value": "Filament is a collection of full-stack components for accelerated Laravel development. From filament/actions 4.0.0 until 4.11.4 and 5.6.4 and from filament/tables 3.0.0 until 3.3.51, the recordSelectOptionsQuery() method may be used to scope the options available in the Select field for AttachAction and AssociateAction. However, the built-in validation rule for these fields did not apply the same scope. As a result, a user who can trigger these actions could tamper with the Livewire component\u0027s state and submit an out-of-scope value. This vulnerability is fixed in filament/actions 4.11.4 and 5.6.4 and filament/tables 3.3.51."
}
],
"metrics": [
{
"cvssV3_1": {
"attackComplexity": "LOW",
"attackVector": "NETWORK",
"availabilityImpact": "NONE",
"baseScore": 6.5,
"baseSeverity": "MEDIUM",
"confidentialityImpact": "NONE",
"integrityImpact": "HIGH",
"privilegesRequired": "LOW",
"scope": "UNCHANGED",
"userInteraction": "NONE",
"vectorString": "CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:N/I:H/A:N",
"version": "3.1"
}
}
],
"problemTypes": [
{
"descriptions": [
{
"cweId": "CWE-639",
"description": "CWE-639: Authorization Bypass Through User-Controlled Key",
"lang": "en",
"type": "CWE"
}
]
}
],
"providerMetadata": {
"dateUpdated": "2026-06-22T21:46:27.323Z",
"orgId": "a0819718-46f1-4df5-94e2-005712e83aaa",
"shortName": "GitHub_M"
},
"references": [
{
"name": "https://github.com/filamentphp/filament/security/advisories/GHSA-7q3w-xqjw-g3cr",
"tags": [
"x_refsource_CONFIRM"
],
"url": "https://github.com/filamentphp/filament/security/advisories/GHSA-7q3w-xqjw-g3cr"
}
],
"source": {
"advisory": "GHSA-7q3w-xqjw-g3cr",
"discovery": "UNKNOWN"
},
"title": "Filament: Inconsistent scope enforcement for AttachAction and AssociateAction Select fields"
}
},
"cveMetadata": {
"assignerOrgId": "a0819718-46f1-4df5-94e2-005712e83aaa",
"assignerShortName": "GitHub_M",
"cveId": "CVE-2026-48067",
"datePublished": "2026-06-22T21:46:27.323Z",
"dateReserved": "2026-05-20T18:25:25.707Z",
"dateUpdated": "2026-06-23T14:29:20.932Z",
"state": "PUBLISHED"
},
"dataType": "CVE_RECORD",
"dataVersion": "5.2"
}
CVE-2026-48167 (GCVE-0-2026-48167)
Vulnerability from cvelistv5 – Published: 2026-06-22 21:43 – Updated: 2026-06-23 12:32
VLAI
Title
Filament: Unvalidated ImageColumn and ImageEntry values can be used for XSS
Summary
Filament is a collection of full-stack components for accelerated Laravel development. From 4.0.0 until 4.11.5 and 5.6.5, the ImageColumn and ImageEntry components render raw database values without escaping HTML. Where the data passed to these components isn't validated, an attacker could plant malicious HTML or JavaScript and achieve stored XSS that executes for users who view the table or schema. This vulnerability is fixed in 4.11.5 and 5.6.5.
Severity
6.4 (Medium)
SSVC
Exploitation: none
Automatable: no
Technical Impact: partial
CISA Coordinator (v2.0.3)
CWE
- CWE-79 - Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting')
Assigner
References
1 reference
| URL | Tags |
|---|---|
| https://github.com/filamentphp/filament/security/… | x_refsource_CONFIRM |
Impacted products
1 product
| Vendor | Product | Version | |
|---|---|---|---|
| filamentphp | filament |
Affected:
>= 4.0.0, < 4.11.5
Affected: >= 5.0.0, < 5.6.5 |
{
"containers": {
"adp": [
{
"metrics": [
{
"other": {
"content": {
"id": "CVE-2026-48167",
"options": [
{
"Exploitation": "none"
},
{
"Automatable": "no"
},
{
"Technical Impact": "partial"
}
],
"role": "CISA Coordinator",
"timestamp": "2026-06-23T12:31:17.201932Z",
"version": "2.0.3"
},
"type": "ssvc"
}
}
],
"providerMetadata": {
"dateUpdated": "2026-06-23T12:32:20.851Z",
"orgId": "134c704f-9b21-4f2e-91b3-4a467353bcc0",
"shortName": "CISA-ADP"
},
"title": "CISA ADP Vulnrichment"
}
],
"cna": {
"affected": [
{
"product": "filament",
"vendor": "filamentphp",
"versions": [
{
"status": "affected",
"version": "\u003e= 4.0.0, \u003c 4.11.5"
},
{
"status": "affected",
"version": "\u003e= 5.0.0, \u003c 5.6.5"
}
]
}
],
"descriptions": [
{
"lang": "en",
"value": "Filament is a collection of full-stack components for accelerated Laravel development. From 4.0.0 until 4.11.5 and 5.6.5, the ImageColumn and ImageEntry components render raw database values without escaping HTML. Where the data passed to these components isn\u0027t validated, an attacker could plant malicious HTML or JavaScript and achieve stored XSS that executes for users who view the table or schema. This vulnerability is fixed in 4.11.5 and 5.6.5."
}
],
"metrics": [
{
"cvssV3_1": {
"attackComplexity": "LOW",
"attackVector": "NETWORK",
"availabilityImpact": "NONE",
"baseScore": 6.4,
"baseSeverity": "MEDIUM",
"confidentialityImpact": "LOW",
"integrityImpact": "LOW",
"privilegesRequired": "LOW",
"scope": "CHANGED",
"userInteraction": "NONE",
"vectorString": "CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:C/C:L/I:L/A:N",
"version": "3.1"
}
}
],
"problemTypes": [
{
"descriptions": [
{
"cweId": "CWE-79",
"description": "CWE-79: Improper Neutralization of Input During Web Page Generation (\u0027Cross-site Scripting\u0027)",
"lang": "en",
"type": "CWE"
}
]
}
],
"providerMetadata": {
"dateUpdated": "2026-06-22T21:43:42.489Z",
"orgId": "a0819718-46f1-4df5-94e2-005712e83aaa",
"shortName": "GitHub_M"
},
"references": [
{
"name": "https://github.com/filamentphp/filament/security/advisories/GHSA-3fc8-8hp6-6jr4",
"tags": [
"x_refsource_CONFIRM"
],
"url": "https://github.com/filamentphp/filament/security/advisories/GHSA-3fc8-8hp6-6jr4"
}
],
"source": {
"advisory": "GHSA-3fc8-8hp6-6jr4",
"discovery": "UNKNOWN"
},
"title": "Filament: Unvalidated ImageColumn and ImageEntry values can be used for XSS"
}
},
"cveMetadata": {
"assignerOrgId": "a0819718-46f1-4df5-94e2-005712e83aaa",
"assignerShortName": "GitHub_M",
"cveId": "CVE-2026-48167",
"datePublished": "2026-06-22T21:43:42.489Z",
"dateReserved": "2026-05-20T23:12:43.032Z",
"dateUpdated": "2026-06-23T12:32:20.851Z",
"state": "PUBLISHED"
},
"dataType": "CVE_RECORD",
"dataVersion": "5.2"
}
CVE-2026-48500 (GCVE-0-2026-48500)
Vulnerability from cvelistv5 – Published: 2026-06-22 21:41 – Updated: 2026-06-23 13:52
VLAI
Title
Filament: Unauthenticated temporary file upload on auth pages
Summary
Filament is a collection of full-stack components for accelerated Laravel development. From 3.0.0 until 3.3.52, 4.11.5, and 5.6.5, any schema can contain a file upload form field, so Filament applies Livewire's WithFileUploads trait to the Livewire component the schema is embedded in. However, some schemas, such as the panel login form, do not require file uploads, and exposing unauthenticated temporary file uploads on these components is not an acceptable risk. On these components, an unauthenticated attacker could upload arbitrary files to the application's temporary storage, which could be abused to exhaust disk space or inflate storage costs. This vulnerability is fixed in 3.3.52, 4.11.5, and 5.6.5.
Severity
6.5 (Medium)
SSVC
Exploitation: none
Automatable: yes
Technical Impact: partial
CISA Coordinator (v2.0.3)
CWE
- CWE-862 - Missing Authorization
Assigner
References
1 reference
| URL | Tags |
|---|---|
| https://github.com/filamentphp/filament/security/… | x_refsource_CONFIRM |
Impacted products
1 product
| Vendor | Product | Version | |
|---|---|---|---|
| filamentphp | filament |
Affected:
>= 3.0.0, < 3.3.52
Affected: >= 5.0.0, < 5.6.5 Affected: >= 4.0.0, < 4.11.5 |
{
"containers": {
"adp": [
{
"metrics": [
{
"other": {
"content": {
"id": "CVE-2026-48500",
"options": [
{
"Exploitation": "none"
},
{
"Automatable": "yes"
},
{
"Technical Impact": "partial"
}
],
"role": "CISA Coordinator",
"timestamp": "2026-06-23T13:51:46.634712Z",
"version": "2.0.3"
},
"type": "ssvc"
}
}
],
"providerMetadata": {
"dateUpdated": "2026-06-23T13:52:57.578Z",
"orgId": "134c704f-9b21-4f2e-91b3-4a467353bcc0",
"shortName": "CISA-ADP"
},
"title": "CISA ADP Vulnrichment"
}
],
"cna": {
"affected": [
{
"product": "filament",
"vendor": "filamentphp",
"versions": [
{
"status": "affected",
"version": "\u003e= 3.0.0, \u003c 3.3.52"
},
{
"status": "affected",
"version": "\u003e= 5.0.0, \u003c 5.6.5"
},
{
"status": "affected",
"version": "\u003e= 4.0.0, \u003c 4.11.5"
}
]
}
],
"descriptions": [
{
"lang": "en",
"value": "Filament is a collection of full-stack components for accelerated Laravel development. From 3.0.0 until 3.3.52, 4.11.5, and 5.6.5, any schema can contain a file upload form field, so Filament applies Livewire\u0027s WithFileUploads trait to the Livewire component the schema is embedded in. However, some schemas, such as the panel login form, do not require file uploads, and exposing unauthenticated temporary file uploads on these components is not an acceptable risk. On these components, an unauthenticated attacker could upload arbitrary files to the application\u0027s temporary storage, which could be abused to exhaust disk space or inflate storage costs. This vulnerability is fixed in 3.3.52, 4.11.5, and 5.6.5."
}
],
"metrics": [
{
"cvssV3_1": {
"attackComplexity": "LOW",
"attackVector": "NETWORK",
"availabilityImpact": "LOW",
"baseScore": 6.5,
"baseSeverity": "MEDIUM",
"confidentialityImpact": "NONE",
"integrityImpact": "LOW",
"privilegesRequired": "NONE",
"scope": "UNCHANGED",
"userInteraction": "NONE",
"vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:L/A:L",
"version": "3.1"
}
}
],
"problemTypes": [
{
"descriptions": [
{
"cweId": "CWE-862",
"description": "CWE-862: Missing Authorization",
"lang": "en",
"type": "CWE"
}
]
}
],
"providerMetadata": {
"dateUpdated": "2026-06-22T21:41:17.776Z",
"orgId": "a0819718-46f1-4df5-94e2-005712e83aaa",
"shortName": "GitHub_M"
},
"references": [
{
"name": "https://github.com/filamentphp/filament/security/advisories/GHSA-44wp-g8f4-f4v5",
"tags": [
"x_refsource_CONFIRM"
],
"url": "https://github.com/filamentphp/filament/security/advisories/GHSA-44wp-g8f4-f4v5"
}
],
"source": {
"advisory": "GHSA-44wp-g8f4-f4v5",
"discovery": "UNKNOWN"
},
"title": "Filament: Unauthenticated temporary file upload on auth pages"
}
},
"cveMetadata": {
"assignerOrgId": "a0819718-46f1-4df5-94e2-005712e83aaa",
"assignerShortName": "GitHub_M",
"cveId": "CVE-2026-48500",
"datePublished": "2026-06-22T21:41:17.776Z",
"dateReserved": "2026-05-21T15:33:08.292Z",
"dateUpdated": "2026-06-23T13:52:57.578Z",
"state": "PUBLISHED"
},
"dataType": "CVE_RECORD",
"dataVersion": "5.2"
}
CVE-2026-48166 (GCVE-0-2026-48166)
Vulnerability from cvelistv5 – Published: 2026-06-22 21:40 – Updated: 2026-06-23 12:29
VLAI
Title
Filament: Timing-based user enumeration on login page
Summary
Filament is a collection of full-stack components for accelerated Laravel development. From 4.0.0 until 4.11.5 and 5.6.5, the login page has an observable timing discrepancy that allows unauthenticated attackers to enumerate registered email addresses. The impact is limited to disclosing whether an account exists for a given email. This vulnerability is fixed in 4.11.5 and 5.6.5.
Severity
5.3 (Medium)
SSVC
Exploitation: none
Automatable: yes
Technical Impact: partial
CISA Coordinator (v2.0.3)
CWE
- CWE-208 - Observable Timing Discrepancy
Assigner
References
1 reference
| URL | Tags |
|---|---|
| https://github.com/filamentphp/filament/security/… | x_refsource_CONFIRM |
Impacted products
1 product
| Vendor | Product | Version | |
|---|---|---|---|
| filamentphp | filament |
Affected:
>= 4.0.0, < 4.11.5
Affected: >= 5.0.0, < 5.6.5 |
{
"containers": {
"adp": [
{
"metrics": [
{
"other": {
"content": {
"id": "CVE-2026-48166",
"options": [
{
"Exploitation": "none"
},
{
"Automatable": "yes"
},
{
"Technical Impact": "partial"
}
],
"role": "CISA Coordinator",
"timestamp": "2026-06-23T12:28:19.870932Z",
"version": "2.0.3"
},
"type": "ssvc"
}
}
],
"providerMetadata": {
"dateUpdated": "2026-06-23T12:29:33.902Z",
"orgId": "134c704f-9b21-4f2e-91b3-4a467353bcc0",
"shortName": "CISA-ADP"
},
"title": "CISA ADP Vulnrichment"
}
],
"cna": {
"affected": [
{
"product": "filament",
"vendor": "filamentphp",
"versions": [
{
"status": "affected",
"version": "\u003e= 4.0.0, \u003c 4.11.5"
},
{
"status": "affected",
"version": "\u003e= 5.0.0, \u003c 5.6.5"
}
]
}
],
"descriptions": [
{
"lang": "en",
"value": "Filament is a collection of full-stack components for accelerated Laravel development. From 4.0.0 until 4.11.5 and 5.6.5, the login page has an observable timing discrepancy that allows unauthenticated attackers to enumerate registered email addresses. The impact is limited to disclosing whether an account exists for a given email. This vulnerability is fixed in 4.11.5 and 5.6.5."
}
],
"metrics": [
{
"cvssV3_1": {
"attackComplexity": "LOW",
"attackVector": "NETWORK",
"availabilityImpact": "NONE",
"baseScore": 5.3,
"baseSeverity": "MEDIUM",
"confidentialityImpact": "LOW",
"integrityImpact": "NONE",
"privilegesRequired": "NONE",
"scope": "UNCHANGED",
"userInteraction": "NONE",
"vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:L/I:N/A:N",
"version": "3.1"
}
}
],
"problemTypes": [
{
"descriptions": [
{
"cweId": "CWE-208",
"description": "CWE-208: Observable Timing Discrepancy",
"lang": "en",
"type": "CWE"
}
]
}
],
"providerMetadata": {
"dateUpdated": "2026-06-22T21:42:37.340Z",
"orgId": "a0819718-46f1-4df5-94e2-005712e83aaa",
"shortName": "GitHub_M"
},
"references": [
{
"name": "https://github.com/filamentphp/filament/security/advisories/GHSA-5w46-g9pq-wh6f",
"tags": [
"x_refsource_CONFIRM"
],
"url": "https://github.com/filamentphp/filament/security/advisories/GHSA-5w46-g9pq-wh6f"
}
],
"source": {
"advisory": "GHSA-5w46-g9pq-wh6f",
"discovery": "UNKNOWN"
},
"title": "Filament: Timing-based user enumeration on login page"
}
},
"cveMetadata": {
"assignerOrgId": "a0819718-46f1-4df5-94e2-005712e83aaa",
"assignerShortName": "GitHub_M",
"cveId": "CVE-2026-48166",
"datePublished": "2026-06-22T21:40:01.897Z",
"dateReserved": "2026-05-20T23:12:43.032Z",
"dateUpdated": "2026-06-23T12:29:33.902Z",
"state": "PUBLISHED"
},
"dataType": "CVE_RECORD",
"dataVersion": "5.2"
}
CVE-2026-48505 (GCVE-0-2026-48505)
Vulnerability from cvelistv5 – Published: 2026-06-22 21:39 – Updated: 2026-06-23 14:28
VLAI
Title
Filament: Multi-factor authentication (app) recovery codes can still be used multiple times via concurrent submission
Summary
Filament is a collection of full-stack components for accelerated Laravel development. From 4.0.0 until 4.11.5 and 5.6.5, a flaw in the handling of recovery codes for app-based multi-factor authentication allows the same recovery code to be reused via concurrent submission. This issue does not affect email-based MFA. It also only applies when recovery codes are enabled. If an attacker gains access to both the user's password and their recovery codes, they get two authenticated sessions per recovery code burned instead of one, or more if they batch the parallel submissions wider, materially extending the attacker's window of access compared to what the single-use guarantee implies. This vulnerability is fixed in 4.11.5 and 5.6.5.
Severity
7.4 (High)
SSVC
Exploitation: none
Automatable: no
Technical Impact: total
CISA Coordinator (v2.0.3)
CWE
Assigner
References
1 reference
| URL | Tags |
|---|---|
| https://github.com/filamentphp/filament/security/… | x_refsource_CONFIRM |
Impacted products
1 product
| Vendor | Product | Version | |
|---|---|---|---|
| filamentphp | filament |
Affected:
>= 4.0.0, < 4.11.5
Affected: >= 5.0.0, < 5.6.5 |
{
"containers": {
"adp": [
{
"metrics": [
{
"other": {
"content": {
"id": "CVE-2026-48505",
"options": [
{
"Exploitation": "none"
},
{
"Automatable": "no"
},
{
"Technical Impact": "total"
}
],
"role": "CISA Coordinator",
"timestamp": "2026-06-23T14:28:27.382918Z",
"version": "2.0.3"
},
"type": "ssvc"
}
}
],
"providerMetadata": {
"dateUpdated": "2026-06-23T14:28:42.081Z",
"orgId": "134c704f-9b21-4f2e-91b3-4a467353bcc0",
"shortName": "CISA-ADP"
},
"title": "CISA ADP Vulnrichment"
}
],
"cna": {
"affected": [
{
"product": "filament",
"vendor": "filamentphp",
"versions": [
{
"status": "affected",
"version": "\u003e= 4.0.0, \u003c 4.11.5"
},
{
"status": "affected",
"version": "\u003e= 5.0.0, \u003c 5.6.5"
}
]
}
],
"descriptions": [
{
"lang": "en",
"value": "Filament is a collection of full-stack components for accelerated Laravel development. From 4.0.0 until 4.11.5 and 5.6.5, a flaw in the handling of recovery codes for app-based multi-factor authentication allows the same recovery code to be reused via concurrent submission. This issue does not affect email-based MFA. It also only applies when recovery codes are enabled. If an attacker gains access to both the user\u0027s password and their recovery codes, they get two authenticated sessions per recovery code burned instead of one, or more if they batch the parallel submissions wider, materially extending the attacker\u0027s window of access compared to what the single-use guarantee implies. This vulnerability is fixed in 4.11.5 and 5.6.5."
}
],
"metrics": [
{
"cvssV3_1": {
"attackComplexity": "HIGH",
"attackVector": "NETWORK",
"availabilityImpact": "NONE",
"baseScore": 7.4,
"baseSeverity": "HIGH",
"confidentialityImpact": "HIGH",
"integrityImpact": "HIGH",
"privilegesRequired": "NONE",
"scope": "UNCHANGED",
"userInteraction": "NONE",
"vectorString": "CVSS:3.1/AV:N/AC:H/PR:N/UI:N/S:U/C:H/I:H/A:N",
"version": "3.1"
}
}
],
"problemTypes": [
{
"descriptions": [
{
"cweId": "CWE-362",
"description": "CWE-362: Concurrent Execution using Shared Resource with Improper Synchronization (\u0027Race Condition\u0027)",
"lang": "en",
"type": "CWE"
}
]
},
{
"descriptions": [
{
"cweId": "CWE-841",
"description": "CWE-841: Improper Enforcement of Behavioral Workflow",
"lang": "en",
"type": "CWE"
}
]
}
],
"providerMetadata": {
"dateUpdated": "2026-06-22T21:42:19.537Z",
"orgId": "a0819718-46f1-4df5-94e2-005712e83aaa",
"shortName": "GitHub_M"
},
"references": [
{
"name": "https://github.com/filamentphp/filament/security/advisories/GHSA-mc5j-f6wx-h9qh",
"tags": [
"x_refsource_CONFIRM"
],
"url": "https://github.com/filamentphp/filament/security/advisories/GHSA-mc5j-f6wx-h9qh"
}
],
"source": {
"advisory": "GHSA-mc5j-f6wx-h9qh",
"discovery": "UNKNOWN"
},
"title": "Filament: Multi-factor authentication (app) recovery codes can still be used multiple times via concurrent submission"
}
},
"cveMetadata": {
"assignerOrgId": "a0819718-46f1-4df5-94e2-005712e83aaa",
"assignerShortName": "GitHub_M",
"cveId": "CVE-2026-48505",
"datePublished": "2026-06-22T21:39:26.304Z",
"dateReserved": "2026-05-21T16:18:10.618Z",
"dateUpdated": "2026-06-23T14:28:42.081Z",
"state": "PUBLISHED"
},
"dataType": "CVE_RECORD",
"dataVersion": "5.2"
}
CVE-2026-33080 (GCVE-0-2026-33080)
Vulnerability from cvelistv5 – Published: 2026-03-20 08:58 – Updated: 2026-03-25 13:46
VLAI
Title
Filament: Unvalidated Range and Values summarizer values can be used for XSS
Summary
Filament is a collection of full-stack components for accelerated Laravel development. Versions 4.0.0 through 4.8.4 and 5.0.0 through 5.3.4 have two Filament Table summarizers (Range, Values) that render raw database values without escaping HTML. If there is a lack of validation for the data in the columns that use these summarizers, an attacker could plant malicious HTML / JavaScript and achieve stored XSS that executes for users who view the table with those summarizers. This issue has been patched in versions 4.8.5 and 5.3.5.
Severity
7.3 (High)
SSVC
Exploitation: none
Automatable: no
Technical Impact: partial
CISA Coordinator (v2.0.3)
CWE
Assigner
References
4 references
| URL | Tags |
|---|---|
| https://github.com/filamentphp/filament/security/… | x_refsource_CONFIRM |
| https://github.com/filamentphp/filament/commit/ef… | x_refsource_MISC |
| https://github.com/filamentphp/filament/releases/… | x_refsource_MISC |
| https://github.com/filamentphp/filament/releases/… | x_refsource_MISC |
Impacted products
1 product
| Vendor | Product | Version | |
|---|---|---|---|
| filamentphp | filament |
Affected:
>= 4.0.0, < 4.8.5
Affected: >= 5.0.0, < 5.3.5 |
{
"containers": {
"adp": [
{
"metrics": [
{
"other": {
"content": {
"id": "CVE-2026-33080",
"options": [
{
"Exploitation": "none"
},
{
"Automatable": "no"
},
{
"Technical Impact": "partial"
}
],
"role": "CISA Coordinator",
"timestamp": "2026-03-25T13:44:22.834939Z",
"version": "2.0.3"
},
"type": "ssvc"
}
}
],
"providerMetadata": {
"dateUpdated": "2026-03-25T13:46:27.561Z",
"orgId": "134c704f-9b21-4f2e-91b3-4a467353bcc0",
"shortName": "CISA-ADP"
},
"title": "CISA ADP Vulnrichment"
}
],
"cna": {
"affected": [
{
"product": "filament",
"vendor": "filamentphp",
"versions": [
{
"status": "affected",
"version": "\u003e= 4.0.0, \u003c 4.8.5"
},
{
"status": "affected",
"version": "\u003e= 5.0.0, \u003c 5.3.5"
}
]
}
],
"descriptions": [
{
"lang": "en",
"value": "Filament is a collection of full-stack components for accelerated Laravel development. Versions 4.0.0 through 4.8.4 and 5.0.0 through 5.3.4 have two Filament Table summarizers (Range, Values) that render raw database values without escaping HTML. If there is a lack of validation for the data in the columns that use these summarizers, an attacker could plant malicious HTML / JavaScript and achieve stored XSS that executes for users who view the table with those summarizers. This issue has been patched in versions 4.8.5 and 5.3.5."
}
],
"metrics": [
{
"cvssV3_1": {
"attackComplexity": "LOW",
"attackVector": "NETWORK",
"availabilityImpact": "NONE",
"baseScore": 7.3,
"baseSeverity": "HIGH",
"confidentialityImpact": "HIGH",
"integrityImpact": "HIGH",
"privilegesRequired": "LOW",
"scope": "UNCHANGED",
"userInteraction": "REQUIRED",
"vectorString": "CVSS:3.1/AV:N/AC:L/PR:L/UI:R/S:U/C:H/I:H/A:N",
"version": "3.1"
}
}
],
"problemTypes": [
{
"descriptions": [
{
"cweId": "CWE-79",
"description": "CWE-79: Improper Neutralization of Input During Web Page Generation (\u0027Cross-site Scripting\u0027)",
"lang": "en",
"type": "CWE"
}
]
},
{
"descriptions": [
{
"cweId": "CWE-80",
"description": "CWE-80: Improper Neutralization of Script-Related HTML Tags in a Web Page (Basic XSS)",
"lang": "en",
"type": "CWE"
}
]
}
],
"providerMetadata": {
"dateUpdated": "2026-03-20T08:58:45.360Z",
"orgId": "a0819718-46f1-4df5-94e2-005712e83aaa",
"shortName": "GitHub_M"
},
"references": [
{
"name": "https://github.com/filamentphp/filament/security/advisories/GHSA-vv3x-j2x5-36jc",
"tags": [
"x_refsource_CONFIRM"
],
"url": "https://github.com/filamentphp/filament/security/advisories/GHSA-vv3x-j2x5-36jc"
},
{
"name": "https://github.com/filamentphp/filament/commit/efa041aeeb4b1a99acd48aaa05584993c926d1ed",
"tags": [
"x_refsource_MISC"
],
"url": "https://github.com/filamentphp/filament/commit/efa041aeeb4b1a99acd48aaa05584993c926d1ed"
},
{
"name": "https://github.com/filamentphp/filament/releases/tag/v4.8.5",
"tags": [
"x_refsource_MISC"
],
"url": "https://github.com/filamentphp/filament/releases/tag/v4.8.5"
},
{
"name": "https://github.com/filamentphp/filament/releases/tag/v5.3.5",
"tags": [
"x_refsource_MISC"
],
"url": "https://github.com/filamentphp/filament/releases/tag/v5.3.5"
}
],
"source": {
"advisory": "GHSA-vv3x-j2x5-36jc",
"discovery": "UNKNOWN"
},
"title": "Filament: Unvalidated Range and Values summarizer values can be used for XSS"
}
},
"cveMetadata": {
"assignerOrgId": "a0819718-46f1-4df5-94e2-005712e83aaa",
"assignerShortName": "GitHub_M",
"cveId": "CVE-2026-33080",
"datePublished": "2026-03-20T08:58:45.360Z",
"dateReserved": "2026-03-17T19:27:06.345Z",
"dateUpdated": "2026-03-25T13:46:27.561Z",
"state": "PUBLISHED"
},
"dataType": "CVE_RECORD",
"dataVersion": "5.2"
}
CVE-2025-67507 (GCVE-0-2025-67507)
Vulnerability from cvelistv5 – Published: 2025-12-10 00:43 – Updated: 2025-12-10 15:28
VLAI
Title
Filament's multi-factor authentication (app) recovery codes can be used multiple times
Summary
Filament is a collection of full-stack components for accelerated Laravel development. Versions 4.0.0 through 4.3.0 contain a flaw in the handling of recovery codes for app-based multi-factor authentication, allowing the same recovery code to be reused indefinitely. This issue does not affect email-based MFA. It also only applies when recovery codes are enabled. This issue is fixed in version 4.3.1.
Severity
8.1 (High)
SSVC
Exploitation: none
Automatable: no
Technical Impact: total
CISA Coordinator (v2.0.3)
CWE
Assigner
References
2 references
| URL | Tags |
|---|---|
| https://github.com/filamentphp/filament/security/… | x_refsource_CONFIRM |
| https://github.com/filamentphp/filament/commit/87… | x_refsource_MISC |
Impacted products
1 product
| Vendor | Product | Version | |
|---|---|---|---|
| filamentphp | filament |
Affected:
>= 4.0.0, < 4.3.1
|
{
"containers": {
"adp": [
{
"metrics": [
{
"other": {
"content": {
"id": "CVE-2025-67507",
"options": [
{
"Exploitation": "none"
},
{
"Automatable": "no"
},
{
"Technical Impact": "total"
}
],
"role": "CISA Coordinator",
"timestamp": "2025-12-10T15:26:20.803891Z",
"version": "2.0.3"
},
"type": "ssvc"
}
}
],
"providerMetadata": {
"dateUpdated": "2025-12-10T15:28:12.222Z",
"orgId": "134c704f-9b21-4f2e-91b3-4a467353bcc0",
"shortName": "CISA-ADP"
},
"title": "CISA ADP Vulnrichment"
}
],
"cna": {
"affected": [
{
"product": "filament",
"vendor": "filamentphp",
"versions": [
{
"status": "affected",
"version": "\u003e= 4.0.0, \u003c 4.3.1"
}
]
}
],
"descriptions": [
{
"lang": "en",
"value": "Filament is a collection of full-stack components for accelerated Laravel development. Versions 4.0.0 through 4.3.0 contain a flaw in the handling of recovery codes for app-based multi-factor authentication, allowing the same recovery code to be reused indefinitely. This issue does not affect email-based MFA. It also only applies when recovery codes are enabled. This issue is fixed in version 4.3.1."
}
],
"metrics": [
{
"cvssV3_1": {
"attackComplexity": "HIGH",
"attackVector": "NETWORK",
"availabilityImpact": "HIGH",
"baseScore": 8.1,
"baseSeverity": "HIGH",
"confidentialityImpact": "HIGH",
"integrityImpact": "HIGH",
"privilegesRequired": "NONE",
"scope": "UNCHANGED",
"userInteraction": "NONE",
"vectorString": "CVSS:3.1/AV:N/AC:H/PR:N/UI:N/S:U/C:H/I:H/A:H",
"version": "3.1"
}
}
],
"problemTypes": [
{
"descriptions": [
{
"cweId": "CWE-287",
"description": "CWE-287: Improper Authentication",
"lang": "en",
"type": "CWE"
}
]
},
{
"descriptions": [
{
"cweId": "CWE-288",
"description": "CWE-288: Authentication Bypass Using an Alternate Path or Channel",
"lang": "en",
"type": "CWE"
}
]
}
],
"providerMetadata": {
"dateUpdated": "2025-12-10T00:43:06.855Z",
"orgId": "a0819718-46f1-4df5-94e2-005712e83aaa",
"shortName": "GitHub_M"
},
"references": [
{
"name": "https://github.com/filamentphp/filament/security/advisories/GHSA-pvcv-q3q7-266g",
"tags": [
"x_refsource_CONFIRM"
],
"url": "https://github.com/filamentphp/filament/security/advisories/GHSA-pvcv-q3q7-266g"
},
{
"name": "https://github.com/filamentphp/filament/commit/87ff60ad9b6e16d4e14ee36a220b8917dd7b0815",
"tags": [
"x_refsource_MISC"
],
"url": "https://github.com/filamentphp/filament/commit/87ff60ad9b6e16d4e14ee36a220b8917dd7b0815"
}
],
"source": {
"advisory": "GHSA-pvcv-q3q7-266g",
"discovery": "UNKNOWN"
},
"title": "Filament\u0027s multi-factor authentication (app) recovery codes can be used multiple times"
}
},
"cveMetadata": {
"assignerOrgId": "a0819718-46f1-4df5-94e2-005712e83aaa",
"assignerShortName": "GitHub_M",
"cveId": "CVE-2025-67507",
"datePublished": "2025-12-10T00:43:06.855Z",
"dateReserved": "2025-12-08T21:36:28.780Z",
"dateUpdated": "2025-12-10T15:28:12.222Z",
"state": "PUBLISHED"
},
"dataType": "CVE_RECORD",
"dataVersion": "5.2"
}
CVE-2024-51758 (GCVE-0-2024-51758)
Vulnerability from cvelistv5 – Published: 2024-11-07 17:46 – Updated: 2024-11-21 16:23
VLAI
Title
Exported files stored in default (`public`) filesystem if not reconfigured in filament
Summary
Filament is a collection of full-stack components for accelerated Laravel development. All Filament features that interact with storage use the `default_filesystem_disk` config option. This allows the user to easily swap their storage driver to something production-ready like `s3` when deploying their app, without having to touch multiple configuration options and potentially forgetting about some. The default disk is set to `public` when you first install Filament, since this allows users to quickly get started developing with a functional disk that allows features such as file upload previews locally without the need to set up an S3 disk with temporary URL support. However, some features of Filament such as exports also rely on storage, and the files that are stored contain data that should often not be public. This is not an issue for the many deployed applications, since many use a secure default disk such as S3 in production. However, [CWE-1188](https://cwe.mitre.org/data/definitions/1188.html) suggests that having the `public` disk as the default disk in Filament is a security vulnerability itself. As such, we have implemented a measure to protect users whereby if the `public` disk is set as the default disk, the exports feature will automatically swap it out for the `local` disk, if that exists. Users who set the default disk to `local` or `s3` already are not affected. If a user wants to continue to use the `public` disk for exports, they can by setting the export disk deliberately. This change has been included in the 3.2.123 release and all users who use the `public` disk are advised to upgrade.
Severity
SSVC
Exploitation: poc
Automatable: no
Technical Impact: partial
CISA Coordinator (v2.0.3)
CWE
- CWE-1188 - Insecure Default Initialization of Resource
Assigner
References
2 references
| URL | Tags |
|---|---|
| https://github.com/filamentphp/filament/security/… | x_refsource_CONFIRM |
| https://filamentphp.com/docs/3.x/actions/prebuilt… | x_refsource_MISC |
Impacted products
2 products
| Vendor | Product | Version | |
|---|---|---|---|
| filamentphp | filament |
Affected:
>= 3.2.0, < 3.2.123
|
|
| filament | excel_export |
Affected:
0 , ≤ 3.2.0
(custom)
Affected: 0 , < 3.2.123 (custom) cpe:2.3:a:filament:excel_export:*:*:*:*:*:*:*:* |
{
"containers": {
"adp": [
{
"affected": [
{
"cpes": [
"cpe:2.3:a:filament:excel_export:*:*:*:*:*:*:*:*"
],
"defaultStatus": "unknown",
"product": "excel_export",
"vendor": "filament",
"versions": [
{
"lessThanOrEqual": "3.2.0",
"status": "affected",
"version": "0",
"versionType": "custom"
},
{
"lessThan": "3.2.123",
"status": "affected",
"version": "0",
"versionType": "custom"
}
]
}
],
"metrics": [
{
"other": {
"content": {
"id": "CVE-2024-51758",
"options": [
{
"Exploitation": "poc"
},
{
"Automatable": "no"
},
{
"Technical Impact": "partial"
}
],
"role": "CISA Coordinator",
"timestamp": "2024-11-07T19:21:37.525972Z",
"version": "2.0.3"
},
"type": "ssvc"
}
}
],
"providerMetadata": {
"dateUpdated": "2024-11-21T16:23:23.083Z",
"orgId": "134c704f-9b21-4f2e-91b3-4a467353bcc0",
"shortName": "CISA-ADP"
},
"title": "CISA ADP Vulnrichment"
}
],
"cna": {
"affected": [
{
"product": "filament",
"vendor": "filamentphp",
"versions": [
{
"status": "affected",
"version": "\u003e= 3.2.0, \u003c 3.2.123"
}
]
}
],
"descriptions": [
{
"lang": "en",
"value": "Filament is a collection of full-stack components for accelerated Laravel development. All Filament features that interact with storage use the `default_filesystem_disk` config option. This allows the user to easily swap their storage driver to something production-ready like `s3` when deploying their app, without having to touch multiple configuration options and potentially forgetting about some. The default disk is set to `public` when you first install Filament, since this allows users to quickly get started developing with a functional disk that allows features such as file upload previews locally without the need to set up an S3 disk with temporary URL support. However, some features of Filament such as exports also rely on storage, and the files that are stored contain data that should often not be public. This is not an issue for the many deployed applications, since many use a secure default disk such as S3 in production. However, [CWE-1188](https://cwe.mitre.org/data/definitions/1188.html) suggests that having the `public` disk as the default disk in Filament is a security vulnerability itself. As such, we have implemented a measure to protect users whereby if the `public` disk is set as the default disk, the exports feature will automatically swap it out for the `local` disk, if that exists. Users who set the default disk to `local` or `s3` already are not affected. If a user wants to continue to use the `public` disk for exports, they can by setting the export disk deliberately. This change has been included in the 3.2.123 release and all users who use the `public` disk are advised to upgrade."
}
],
"metrics": [
{
"cvssV4_0": {
"attackComplexity": "LOW",
"attackRequirements": "PRESENT",
"attackVector": "NETWORK",
"baseScore": 2.3,
"baseSeverity": "LOW",
"privilegesRequired": "NONE",
"subAvailabilityImpact": "NONE",
"subConfidentialityImpact": "LOW",
"subIntegrityImpact": "NONE",
"userInteraction": "PASSIVE",
"vectorString": "CVSS:4.0/AV:N/AC:L/AT:P/PR:N/UI:P/VC:L/VI:N/VA:N/SC:L/SI:N/SA:N",
"version": "4.0",
"vulnAvailabilityImpact": "NONE",
"vulnConfidentialityImpact": "LOW",
"vulnIntegrityImpact": "NONE"
}
}
],
"problemTypes": [
{
"descriptions": [
{
"cweId": "CWE-1188",
"description": "CWE-1188: Insecure Default Initialization of Resource",
"lang": "en",
"type": "CWE"
}
]
}
],
"providerMetadata": {
"dateUpdated": "2024-11-19T13:22:40.970Z",
"orgId": "a0819718-46f1-4df5-94e2-005712e83aaa",
"shortName": "GitHub_M"
},
"references": [
{
"name": "https://github.com/filamentphp/filament/security/advisories/GHSA-4hxw-gc2q-f6f3",
"tags": [
"x_refsource_CONFIRM"
],
"url": "https://github.com/filamentphp/filament/security/advisories/GHSA-4hxw-gc2q-f6f3"
},
{
"name": "https://filamentphp.com/docs/3.x/actions/prebuilt-actions/export#customizing-the-storage-disk",
"tags": [
"x_refsource_MISC"
],
"url": "https://filamentphp.com/docs/3.x/actions/prebuilt-actions/export#customizing-the-storage-disk"
}
],
"source": {
"advisory": "GHSA-4hxw-gc2q-f6f3",
"discovery": "UNKNOWN"
},
"title": "Exported files stored in default (`public`) filesystem if not reconfigured in filament"
}
},
"cveMetadata": {
"assignerOrgId": "a0819718-46f1-4df5-94e2-005712e83aaa",
"assignerShortName": "GitHub_M",
"cveId": "CVE-2024-51758",
"datePublished": "2024-11-07T17:46:36.151Z",
"dateReserved": "2024-10-31T14:12:45.792Z",
"dateUpdated": "2024-11-21T16:23:23.083Z",
"state": "PUBLISHED"
},
"dataType": "CVE_RECORD",
"dataVersion": "5.1"
}
CVE-2024-47186 (GCVE-0-2024-47186)
Vulnerability from cvelistv5 – Published: 2024-09-27 21:04 – Updated: 2024-09-27 21:56
VLAI
Title
Filament has unvalidated ColorColumn and ColorEntry values that can be used for Cross-site Scripting
Summary
Filament is a collection of full-stack components for Laravel development. Versions of Filament from v3.0.0 through v3.2.114 are affected by a cross-site scripting (XSS) vulnerability. If values passed to a `ColorColumn` or `ColumnEntry` are not valid and contain a specific set of characters, applications are vulnerable to XSS attack against a user who opens a page on which a color column or entry is rendered. Filament v3.2.115 fixes this issue.
Severity
6.1 (Medium)
SSVC
Exploitation: none
Automatable: no
Technical Impact: partial
CISA Coordinator (v2.0.3)
CWE
- CWE-79 - Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting')
Assigner
References
3 references
| URL | Tags |
|---|---|
| https://github.com/filamentphp/filament/security/… | x_refsource_CONFIRM |
| https://github.com/filamentphp/filament/commit/df… | x_refsource_MISC |
| https://github.com/filamentphp/filament/releases/… | x_refsource_MISC |
Impacted products
1 product
| Vendor | Product | Version | |
|---|---|---|---|
| filamentphp | filament |
Affected:
>= 3.0.0, < 3.2.115
|
{
"containers": {
"adp": [
{
"metrics": [
{
"other": {
"content": {
"id": "CVE-2024-47186",
"options": [
{
"Exploitation": "none"
},
{
"Automatable": "no"
},
{
"Technical Impact": "partial"
}
],
"role": "CISA Coordinator",
"timestamp": "2024-09-27T21:55:24.935420Z",
"version": "2.0.3"
},
"type": "ssvc"
}
}
],
"providerMetadata": {
"dateUpdated": "2024-09-27T21:56:30.280Z",
"orgId": "134c704f-9b21-4f2e-91b3-4a467353bcc0",
"shortName": "CISA-ADP"
},
"title": "CISA ADP Vulnrichment"
}
],
"cna": {
"affected": [
{
"product": "filament",
"vendor": "filamentphp",
"versions": [
{
"status": "affected",
"version": "\u003e= 3.0.0, \u003c 3.2.115"
}
]
}
],
"descriptions": [
{
"lang": "en",
"value": "Filament is a collection of full-stack components for Laravel development. Versions of Filament from v3.0.0 through v3.2.114 are affected by a cross-site scripting (XSS) vulnerability. If values passed to a `ColorColumn` or `ColumnEntry` are not valid and contain a specific set of characters, applications are vulnerable to XSS attack against a user who opens a page on which a color column or entry is rendered. Filament v3.2.115 fixes this issue."
}
],
"metrics": [
{
"cvssV3_1": {
"attackComplexity": "LOW",
"attackVector": "NETWORK",
"availabilityImpact": "NONE",
"baseScore": 6.1,
"baseSeverity": "MEDIUM",
"confidentialityImpact": "LOW",
"integrityImpact": "LOW",
"privilegesRequired": "NONE",
"scope": "CHANGED",
"userInteraction": "REQUIRED",
"vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:C/C:L/I:L/A:N",
"version": "3.1"
}
}
],
"problemTypes": [
{
"descriptions": [
{
"cweId": "CWE-79",
"description": "CWE-79: Improper Neutralization of Input During Web Page Generation (\u0027Cross-site Scripting\u0027)",
"lang": "en",
"type": "CWE"
}
]
}
],
"providerMetadata": {
"dateUpdated": "2024-09-27T21:04:33.587Z",
"orgId": "a0819718-46f1-4df5-94e2-005712e83aaa",
"shortName": "GitHub_M"
},
"references": [
{
"name": "https://github.com/filamentphp/filament/security/advisories/GHSA-9h9q-qhxg-89xr",
"tags": [
"x_refsource_CONFIRM"
],
"url": "https://github.com/filamentphp/filament/security/advisories/GHSA-9h9q-qhxg-89xr"
},
{
"name": "https://github.com/filamentphp/filament/commit/df7989352464d08eda5837ef50f9997fad902316",
"tags": [
"x_refsource_MISC"
],
"url": "https://github.com/filamentphp/filament/commit/df7989352464d08eda5837ef50f9997fad902316"
},
{
"name": "https://github.com/filamentphp/filament/releases/tag/v3.2.115",
"tags": [
"x_refsource_MISC"
],
"url": "https://github.com/filamentphp/filament/releases/tag/v3.2.115"
}
],
"source": {
"advisory": "GHSA-9h9q-qhxg-89xr",
"discovery": "UNKNOWN"
},
"title": "Filament has unvalidated ColorColumn and ColorEntry values that can be used for Cross-site Scripting"
}
},
"cveMetadata": {
"assignerOrgId": "a0819718-46f1-4df5-94e2-005712e83aaa",
"assignerShortName": "GitHub_M",
"cveId": "CVE-2024-47186",
"datePublished": "2024-09-27T21:04:33.587Z",
"dateReserved": "2024-09-19T22:32:11.963Z",
"dateUpdated": "2024-09-27T21:56:30.280Z",
"state": "PUBLISHED"
},
"dataType": "CVE_RECORD",
"dataVersion": "5.1"
}