CVE-2026-33080
HIGHSeverity by source
AV:N/AC:L/PR:L/UI:R/S:U/C:H/I:H/A:N
Primary rating from GitHub Advisory · only source for this CVE.
CVSS VectorGitHub Advisory
CVSS:3.1/AV:N/AC:L/PR:L/UI:R/S:U/C:H/I:H/A:N
Lifecycle Timeline
3DescriptionGitHub Advisory
Two Filament Table summarizers (Range, Values) render raw database values without escaping HTML. If there is a lack of validation for the data in the columns that use these summarizers, an attacker could plant malicious HTML / JavaScript and achieve stored XSS that executes for users who view the table with those summarizers.
AnalysisAI
A stored cross-site scripting (XSS) vulnerability exists in Filament Table's Range and Values summarizers, which render database values without HTML escaping. Affected products include filament_tables (Composer package), where an attacker with low privileges can inject malicious HTML or JavaScript into database columns used by these summarizers, executing arbitrary scripts when other users view the table. No KEV listing or EPSS data is available, but proof-of-concept details are documented in GitHub advisories GHSA-vv3x-j2x5-36jc.
Technical ContextAI
This vulnerability affects the Filament Table component (pkg:composer/filament_tables), specifically the Range and Values summarizer features. The root cause is classified as CWE-79 (Improper Neutralization of Input During Web Page Generation), a classic stored XSS vulnerability where user-controlled data stored in database columns is rendered directly into HTML without sanitization or escaping. When table summarizers aggregate and display column data, they fail to encode special HTML characters, allowing script tags and event handlers to execute in the browser context of users viewing the summarized data. This is particularly dangerous in content management systems and admin panels built with the Filament framework.
RemediationAI
Consult the official GitHub Security Advisory at https://github.com/filamentphp/filament/security/advisories/GHSA-vv3x-j2x5-36jc for patched versions and upgrade filament_tables to the fixed release immediately via Composer. As an interim mitigation, implement strict input validation and HTML sanitization on all database columns used with Range and Values summarizers, using server-side escaping functions before data is stored. Consider implementing Content Security Policy (CSP) headers with script-src directives to reduce XSS impact, and review database content for existing malicious payloads that may have been injected prior to patching. Restrict user permissions to minimize who can modify columns used in summarizers.
Same weakness CWE-79 – Cross-site Scripting (XSS)
View allShare
External POC / Exploit Code
Leaving vuln.today
GHSA-vv3x-j2x5-36jc