Skip to main content

Filament

5 CVEs product

Monthly

CVE-2026-48167 PHP MEDIUM POC PATCH GHSA This Month

Stored cross-site scripting in Filament's ImageColumn and ImageEntry components allows low-privileged authenticated attackers to plant malicious HTML or JavaScript into database-backed image fields, which then executes in the browsers of any user who views the affected table or schema. Affected versions span 4.0.0 through the pre-fix releases across both the v4 and v5 branches of this widely-used Laravel admin panel framework. Vendor-released patches exist at versions 4.11.5 and 5.6.5; no public exploit code or CISA KEV listing has been identified at time of analysis.

XSS Filament
NVD GitHub VulDB
CVSS 3.1
6.4
EPSS
0.1%
CVE-2026-48500 PHP MEDIUM POC PATCH GHSA This Month

Unauthenticated arbitrary file upload in Filament (Laravel component framework) versions 3.0.0 through 3.3.51, 4.x through 4.11.4, and 5.x through 5.6.4 allows remote attackers without any credentials to write files to the application's temporary storage. Filament indiscriminately applies Livewire's WithFileUploads trait to every Livewire component embedding a schema - including the panel login form, which has no legitimate file upload need - exposing the upload endpoint publicly. The practical impact is storage exhaustion or inflated cloud storage costs; no public exploit has been identified at time of analysis.

File Upload Authentication Bypass Filament
NVD GitHub VulDB
CVSS 3.1
6.5
EPSS
0.2%
CVE-2026-48166 PHP MEDIUM POC PATCH GHSA This Month

Filament's login page leaks account existence through a measurable timing side-channel, allowing unauthenticated remote attackers to enumerate registered email addresses. Versions 4.0.0 through 4.11.4 and 5.0.0 through 5.6.4 of this widely-used Laravel full-stack component library are affected. The impact is confined to account enumeration - no credentials, session tokens, or other data are exposed - but the disclosed information can seed targeted phishing or credential-stuffing campaigns. No public exploit code has been identified at time of analysis, and this vulnerability is not listed in the CISA KEV catalog.

Information Disclosure Filament
NVD GitHub VulDB
CVSS 3.1
5.3
EPSS
0.2%
CVE-2026-48505 PHP HIGH PATCH GHSA This Week

Recovery code reuse in Filament (Laravel admin panel framework) versions 4.0.0 through 4.11.4 and 5.0.0 through 5.6.4 allows attackers who already possess a victim's password and recovery codes to obtain multiple authenticated sessions per single recovery code by submitting parallel authentication requests. The flaw stems from a TOCTOU race condition (CWE-362) in app-based MFA recovery code validation, undermining the single-use guarantee. No public exploit identified at time of analysis and the vulnerability is fixed in 4.11.5 and 5.6.5.

Race Condition Information Disclosure Filament
NVD GitHub
CVSS 3.1
7.4
EPSS
0.2%
CVE-2024-47186 PHP MEDIUM PATCH This Month

Filament is a collection of full-stack components for Laravel development. Rated medium severity (CVSS 6.1), this vulnerability is remotely exploitable, no authentication required, low attack complexity. This Cross-Site Scripting (XSS) vulnerability could allow attackers to inject malicious scripts into web pages viewed by other users.

XSS Filament
NVD GitHub
CVSS 3.1
6.1
EPSS
0.4%
EPSS 0% CVSS 6.4
MEDIUM POC PATCH This Month

Stored cross-site scripting in Filament's ImageColumn and ImageEntry components allows low-privileged authenticated attackers to plant malicious HTML or JavaScript into database-backed image fields, which then executes in the browsers of any user who views the affected table or schema. Affected versions span 4.0.0 through the pre-fix releases across both the v4 and v5 branches of this widely-used Laravel admin panel framework. Vendor-released patches exist at versions 4.11.5 and 5.6.5; no public exploit code or CISA KEV listing has been identified at time of analysis.

XSS Filament
NVD GitHub VulDB
EPSS 0% CVSS 6.5
MEDIUM POC PATCH This Month

Unauthenticated arbitrary file upload in Filament (Laravel component framework) versions 3.0.0 through 3.3.51, 4.x through 4.11.4, and 5.x through 5.6.4 allows remote attackers without any credentials to write files to the application's temporary storage. Filament indiscriminately applies Livewire's WithFileUploads trait to every Livewire component embedding a schema - including the panel login form, which has no legitimate file upload need - exposing the upload endpoint publicly. The practical impact is storage exhaustion or inflated cloud storage costs; no public exploit has been identified at time of analysis.

File Upload Authentication Bypass Filament
NVD GitHub VulDB
EPSS 0% CVSS 5.3
MEDIUM POC PATCH This Month

Filament's login page leaks account existence through a measurable timing side-channel, allowing unauthenticated remote attackers to enumerate registered email addresses. Versions 4.0.0 through 4.11.4 and 5.0.0 through 5.6.4 of this widely-used Laravel full-stack component library are affected. The impact is confined to account enumeration - no credentials, session tokens, or other data are exposed - but the disclosed information can seed targeted phishing or credential-stuffing campaigns. No public exploit code has been identified at time of analysis, and this vulnerability is not listed in the CISA KEV catalog.

Information Disclosure Filament
NVD GitHub VulDB
EPSS 0% CVSS 7.4
HIGH PATCH This Week

Recovery code reuse in Filament (Laravel admin panel framework) versions 4.0.0 through 4.11.4 and 5.0.0 through 5.6.4 allows attackers who already possess a victim's password and recovery codes to obtain multiple authenticated sessions per single recovery code by submitting parallel authentication requests. The flaw stems from a TOCTOU race condition (CWE-362) in app-based MFA recovery code validation, undermining the single-use guarantee. No public exploit identified at time of analysis and the vulnerability is fixed in 4.11.5 and 5.6.5.

Race Condition Information Disclosure Filament
NVD GitHub
EPSS 0% CVSS 6.1
MEDIUM PATCH This Month

Filament is a collection of full-stack components for Laravel development. Rated medium severity (CVSS 6.1), this vulnerability is remotely exploitable, no authentication required, low attack complexity. This Cross-Site Scripting (XSS) vulnerability could allow attackers to inject malicious scripts into web pages viewed by other users.

XSS Filament
NVD GitHub

This site uses cookies essential for authentication and security. No tracking or analytics cookies are used. Privacy Policy