Severity by source
AV:N/AC:L/PR:N/UI:N/S:U/C:L/I:N/A:N
Network-accessible unauthenticated login endpoint with observable timing leak; limited confidentiality impact (email existence only), no integrity or availability impact.
Primary rating from Vendor (GitHub_M).
CVSS VectorVendor: GitHub_M
CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:L/I:N/A:N
Lifecycle Timeline
2DescriptionCVE.org
Filament is a collection of full-stack components for accelerated Laravel development. From 4.0.0 until 4.11.5 and 5.6.5, the login page has an observable timing discrepancy that allows unauthenticated attackers to enumerate registered email addresses. The impact is limited to disclosing whether an account exists for a given email. This vulnerability is fixed in 4.11.5 and 5.6.5.
AnalysisAI
Filament's login page leaks account existence through a measurable timing side-channel, allowing unauthenticated remote attackers to enumerate registered email addresses. Versions 4.0.0 through 4.11.4 and 5.0.0 through 5.6.4 of this widely-used Laravel full-stack component library are affected. …
Unlock full vulnerability intelligence
- Risk assessment & exploitation conditions
- Attack chain visualization
- Remediation with exact patch versions
- Threat intelligence from 22 sources
- Personal watchlist & email alerts
Free forever · No credit card required
Attack ChainAIDerived
Hypothetical attack flow derived from CVE metadata
Vulnerability AssessmentAI
| Exploitation | The Filament login page must be network-accessible to the attacker - a default condition for any publicly-facing Filament application. … Additional conditions and limiting factors are described in the full assessment. |
| Risk Assessment | The CVSS 3.1 score of 5.3 (Medium) with vector AV:N/AC:L/PR:N/UI:N/S:U/C:L/I:N/A:N is proportionate to the actual impact. … Full risk analysis with EPSS, KEV, and SSVC signal comparison available after sign-in. |
| Exploit Scenario | An attacker submits hundreds of login requests to the Filament login endpoint using a list of candidate email addresses, recording the HTTP response time for each. Requests for registered email addresses consistently take longer (due to the password hashing step) than those for non-existent accounts, allowing the attacker to partition the list into confirmed and unconfirmed accounts. … |
| Remediation | Upgrade to Filament 4.11.5 (for the 4.x branch) or 5.6.5 (for the 5.x branch), which are confirmed fixed versions per the GitHub Security Advisory at https://github.com/filamentphp/filament/security/advisories/GHSA-5w46-g9pq-wh6f. … Detailed patch versions, workarounds, and compensating controls in full report. |
Threat intelligence, references, and detailed analysis are available after sign-in.
Recovery code reuse in Filament (Laravel admin panel framework) versions 4.0.0 through 4.11.4 and 5.0.0 through 5.6.4 al
Unauthenticated arbitrary file upload in Filament (Laravel component framework) versions 3.0.0 through 3.3.51, 4.x throu
Stored cross-site scripting in Filament's ImageColumn and ImageEntry components allows low-privileged authenticated atta
Filament is a collection of full-stack components for Laravel development. Rated medium severity (CVSS 6.1), this vulner
Same weakness CWE-208 – Observable Timing Discrepancy
View allSame technique Information Disclosure
View allShare
External POC / Exploit Code
Leaving vuln.today
EUVD-2026-38393
GHSA-5w46-g9pq-wh6f