Skip to main content

Filament CVE-2026-48500

| EUVDEUVD-2026-38394 MEDIUM
Missing Authorization (CWE-862)
2026-06-22 GitHub_M GHSA-44wp-g8f4-f4v5
6.5
CVSS 3.1 · Vendor: GitHub_M
Share

Severity by source

Vendor (GitHub_M) PRIMARY
6.5 MEDIUM
AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:L/A:L
vuln.today AI
6.5 MEDIUM

Network-reachable login endpoint, no auth or interaction needed; impact limited to low integrity (temp file writes) and low availability (disk exhaustion); no confidentiality loss.

3.1 AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:L/A:L
4.0 AV:N/AC:L/AT:N/PR:N/UI:N/VC:N/VI:L/VA:L/SC:N/SI:N/SA:N

Primary rating from Vendor (GitHub_M).

CVSS VectorVendor: GitHub_M

CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:L/A:L
Attack Vector
Network
Attack Complexity
Low
Privileges Required
None
User Interaction
None
Scope
Unchanged
Confidentiality
None
Integrity
Low
Availability
Low

Lifecycle Timeline

2
Patch available
Jun 22, 2026 - 23:02 EUVD
Analysis Generated
Jun 22, 2026 - 22:29 vuln.today

DescriptionCVE.org

Filament is a collection of full-stack components for accelerated Laravel development. From 3.0.0 until 3.3.52, 4.11.5, and 5.6.5, any schema can contain a file upload form field, so Filament applies Livewire's WithFileUploads trait to the Livewire component the schema is embedded in. However, some schemas, such as the panel login form, do not require file uploads, and exposing unauthenticated temporary file uploads on these components is not an acceptable risk. On these components, an unauthenticated attacker could upload arbitrary files to the application's temporary storage, which could be abused to exhaust disk space or inflate storage costs. This vulnerability is fixed in 3.3.52, 4.11.5, and 5.6.5.

AnalysisAI

Unauthenticated arbitrary file upload in Filament (Laravel component framework) versions 3.0.0 through 3.3.51, 4.x through 4.11.4, and 5.x through 5.6.4 allows remote attackers without any credentials to write files to the application's temporary storage. Filament indiscriminately applies Livewire's WithFileUploads trait to every Livewire component embedding a schema - including the panel login form, which has no legitimate file upload need - exposing the upload endpoint publicly. …

Unlock full vulnerability intelligence

  • Risk assessment & exploitation conditions
  • Attack chain visualization
  • Remediation with exact patch versions
  • Threat intelligence from 22 sources
  • Personal watchlist & email alerts

Free forever · No credit card required

Attack ChainAIDerived

Hypothetical attack flow derived from CVE metadata

Access
Identify internet-facing Filament login or public schema endpoint
Delivery
Send repeated multipart/form-data POST requests to Livewire upload route
Exploit
Bypass missing authorization check on WithFileUploads trait
Execution
Write arbitrary files to application temporary storage
Impact
Exhaust disk space or inflate cloud storage costs

Vulnerability AssessmentAI

Exploitation The Filament panel must be accessible over the network without authentication - the standard deployment topology for a Filament login page. … Additional conditions and limiting factors are described in the full assessment.
Risk Assessment The CVSS 3.1 vector AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:L/A:L yields a base score of 6.5, accurately reflecting a low-complexity, network-accessible, unauthenticated attack with limited impact: no confidentiality breach, low integrity impact (arbitrary writes to temp storage), and low availability impact (disk exhaustion). … Full risk analysis with EPSS, KEV, and SSVC signal comparison available after sign-in.
Exploit Scenario An unauthenticated attacker scripting repeated multipart POST requests to the Filament panel's login endpoint (or any other publicly accessible schema endpoint) can write arbitrarily large files into the application's configured temporary storage directory. By automating this at volume, the attacker can exhaust available disk space on the server, causing application outages, or accumulate significant charges on cloud object storage bills. …
Remediation Upgrade to Filament 3.3.52, 4.11.5, or 5.6.5 immediately, as all three release lines have vendor-released patches available. … Detailed patch versions, workarounds, and compensating controls in full report.

Threat intelligence, references, and detailed analysis are available after sign-in.

Share

CVE-2026-48500 vulnerability details – vuln.today

This site uses cookies essential for authentication and security. No tracking or analytics cookies are used. Privacy Policy