Skip to main content

CVE-2026-33080

HIGH
Cross-site Scripting (XSS) (CWE-79)
2026-03-18 https://github.com/filamentphp/filament GHSA-vv3x-j2x5-36jc
7.3
CVSS 3.1 · GitHub Advisory
Share

Severity by source

GitHub Advisory PRIMARY
7.3 HIGH
AV:N/AC:L/PR:L/UI:R/S:U/C:H/I:H/A:N

Primary rating from GitHub Advisory · only source for this CVE.

CVSS VectorGitHub Advisory

CVSS:3.1/AV:N/AC:L/PR:L/UI:R/S:U/C:H/I:H/A:N
Attack Vector
Network
Attack Complexity
Low
Privileges Required
Low
User Interaction
Required
Scope
Unchanged
Confidentiality
High
Integrity
High
Availability
None

Lifecycle Timeline

3
Patch released
Mar 31, 2026 - 21:13 nvd
Patch available
Analysis Generated
Mar 18, 2026 - 20:15 vuln.today
CVE Published
Mar 18, 2026 - 20:07 nvd
HIGH 7.3

DescriptionGitHub Advisory

Two Filament Table summarizers (Range, Values) render raw database values without escaping HTML. If there is a lack of validation for the data in the columns that use these summarizers, an attacker could plant malicious HTML / JavaScript and achieve stored XSS that executes for users who view the table with those summarizers.

AnalysisAI

A stored cross-site scripting (XSS) vulnerability exists in Filament Table's Range and Values summarizers, which render database values without HTML escaping. Affected products include filament_tables (Composer package), where an attacker with low privileges can inject malicious HTML or JavaScript into database columns used by these summarizers, executing arbitrary scripts when other users view the table. No KEV listing or EPSS data is available, but proof-of-concept details are documented in GitHub advisories GHSA-vv3x-j2x5-36jc.

Technical ContextAI

This vulnerability affects the Filament Table component (pkg:composer/filament_tables), specifically the Range and Values summarizer features. The root cause is classified as CWE-79 (Improper Neutralization of Input During Web Page Generation), a classic stored XSS vulnerability where user-controlled data stored in database columns is rendered directly into HTML without sanitization or escaping. When table summarizers aggregate and display column data, they fail to encode special HTML characters, allowing script tags and event handlers to execute in the browser context of users viewing the summarized data. This is particularly dangerous in content management systems and admin panels built with the Filament framework.

RemediationAI

Consult the official GitHub Security Advisory at https://github.com/filamentphp/filament/security/advisories/GHSA-vv3x-j2x5-36jc for patched versions and upgrade filament_tables to the fixed release immediately via Composer. As an interim mitigation, implement strict input validation and HTML sanitization on all database columns used with Range and Values summarizers, using server-side escaping functions before data is stored. Consider implementing Content Security Policy (CSP) headers with script-src directives to reduce XSS impact, and review database content for existing malicious payloads that may have been injected prior to patching. Restrict user permissions to minimize who can modify columns used in summarizers.

Share

CVE-2026-33080 vulnerability details – vuln.today

This site uses cookies essential for authentication and security. No tracking or analytics cookies are used. Privacy Policy