Skip to main content

Filament CVE-2026-48166

| EUVDEUVD-2026-38393 MEDIUM
Observable Timing Discrepancy (CWE-208)
2026-06-22 GitHub_M GHSA-5w46-g9pq-wh6f
5.3
CVSS 3.1 · Vendor: GitHub_M
Share

Severity by source

Vendor (GitHub_M) PRIMARY
5.3 MEDIUM
AV:N/AC:L/PR:N/UI:N/S:U/C:L/I:N/A:N
vuln.today AI
5.3 MEDIUM

Network-accessible unauthenticated login endpoint with observable timing leak; limited confidentiality impact (email existence only), no integrity or availability impact.

3.1 AV:N/AC:L/PR:N/UI:N/S:U/C:L/I:N/A:N
4.0 AV:N/AC:L/AT:N/PR:N/UI:N/VC:L/VI:N/VA:N/SC:N/SI:N/SA:N

Primary rating from Vendor (GitHub_M).

CVSS VectorVendor: GitHub_M

CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:L/I:N/A:N
Attack Vector
Network
Attack Complexity
Low
Privileges Required
None
User Interaction
None
Scope
Unchanged
Confidentiality
Low
Integrity
None
Availability
None

Lifecycle Timeline

2
Patch available
Jun 22, 2026 - 23:02 EUVD
Analysis Generated
Jun 22, 2026 - 22:28 vuln.today

DescriptionCVE.org

Filament is a collection of full-stack components for accelerated Laravel development. From 4.0.0 until 4.11.5 and 5.6.5, the login page has an observable timing discrepancy that allows unauthenticated attackers to enumerate registered email addresses. The impact is limited to disclosing whether an account exists for a given email. This vulnerability is fixed in 4.11.5 and 5.6.5.

AnalysisAI

Filament's login page leaks account existence through a measurable timing side-channel, allowing unauthenticated remote attackers to enumerate registered email addresses. Versions 4.0.0 through 4.11.4 and 5.0.0 through 5.6.4 of this widely-used Laravel full-stack component library are affected. …

Unlock full vulnerability intelligence

  • Risk assessment & exploitation conditions
  • Attack chain visualization
  • Remediation with exact patch versions
  • Threat intelligence from 22 sources
  • Personal watchlist & email alerts

Free forever · No credit card required

Attack ChainAIDerived

Hypothetical attack flow derived from CVE metadata

Access
Identify exposed Filament login endpoint
Delivery
Submit login requests with candidate email list
Exploit
Measure HTTP response time per request
Execution
Statistical analysis reveals timing discrepancy
Persist
Partition emails into existing vs. non-existing accounts
Impact
Use confirmed account list for targeted phishing or credential stuffing

Vulnerability AssessmentAI

Exploitation The Filament login page must be network-accessible to the attacker - a default condition for any publicly-facing Filament application. … Additional conditions and limiting factors are described in the full assessment.
Risk Assessment The CVSS 3.1 score of 5.3 (Medium) with vector AV:N/AC:L/PR:N/UI:N/S:U/C:L/I:N/A:N is proportionate to the actual impact. … Full risk analysis with EPSS, KEV, and SSVC signal comparison available after sign-in.
Exploit Scenario An attacker submits hundreds of login requests to the Filament login endpoint using a list of candidate email addresses, recording the HTTP response time for each. Requests for registered email addresses consistently take longer (due to the password hashing step) than those for non-existent accounts, allowing the attacker to partition the list into confirmed and unconfirmed accounts. …
Remediation Upgrade to Filament 4.11.5 (for the 4.x branch) or 5.6.5 (for the 5.x branch), which are confirmed fixed versions per the GitHub Security Advisory at https://github.com/filamentphp/filament/security/advisories/GHSA-5w46-g9pq-wh6f. … Detailed patch versions, workarounds, and compensating controls in full report.

Threat intelligence, references, and detailed analysis are available after sign-in.

Share

CVE-2026-48166 vulnerability details – vuln.today

This site uses cookies essential for authentication and security. No tracking or analytics cookies are used. Privacy Policy