Filament
Monthly
Stored cross-site scripting in Filament's ImageColumn and ImageEntry components allows low-privileged authenticated attackers to plant malicious HTML or JavaScript into database-backed image fields, which then executes in the browsers of any user who views the affected table or schema. Affected versions span 4.0.0 through the pre-fix releases across both the v4 and v5 branches of this widely-used Laravel admin panel framework. Vendor-released patches exist at versions 4.11.5 and 5.6.5; no public exploit code or CISA KEV listing has been identified at time of analysis.
Unauthenticated arbitrary file upload in Filament (Laravel component framework) versions 3.0.0 through 3.3.51, 4.x through 4.11.4, and 5.x through 5.6.4 allows remote attackers without any credentials to write files to the application's temporary storage. Filament indiscriminately applies Livewire's WithFileUploads trait to every Livewire component embedding a schema - including the panel login form, which has no legitimate file upload need - exposing the upload endpoint publicly. The practical impact is storage exhaustion or inflated cloud storage costs; no public exploit has been identified at time of analysis.
Filament's login page leaks account existence through a measurable timing side-channel, allowing unauthenticated remote attackers to enumerate registered email addresses. Versions 4.0.0 through 4.11.4 and 5.0.0 through 5.6.4 of this widely-used Laravel full-stack component library are affected. The impact is confined to account enumeration - no credentials, session tokens, or other data are exposed - but the disclosed information can seed targeted phishing or credential-stuffing campaigns. No public exploit code has been identified at time of analysis, and this vulnerability is not listed in the CISA KEV catalog.
Recovery code reuse in Filament (Laravel admin panel framework) versions 4.0.0 through 4.11.4 and 5.0.0 through 5.6.4 allows attackers who already possess a victim's password and recovery codes to obtain multiple authenticated sessions per single recovery code by submitting parallel authentication requests. The flaw stems from a TOCTOU race condition (CWE-362) in app-based MFA recovery code validation, undermining the single-use guarantee. No public exploit identified at time of analysis and the vulnerability is fixed in 4.11.5 and 5.6.5.
Filament is a collection of full-stack components for Laravel development. Rated medium severity (CVSS 6.1), this vulnerability is remotely exploitable, no authentication required, low attack complexity. This Cross-Site Scripting (XSS) vulnerability could allow attackers to inject malicious scripts into web pages viewed by other users.
Stored cross-site scripting in Filament's ImageColumn and ImageEntry components allows low-privileged authenticated attackers to plant malicious HTML or JavaScript into database-backed image fields, which then executes in the browsers of any user who views the affected table or schema. Affected versions span 4.0.0 through the pre-fix releases across both the v4 and v5 branches of this widely-used Laravel admin panel framework. Vendor-released patches exist at versions 4.11.5 and 5.6.5; no public exploit code or CISA KEV listing has been identified at time of analysis.
Unauthenticated arbitrary file upload in Filament (Laravel component framework) versions 3.0.0 through 3.3.51, 4.x through 4.11.4, and 5.x through 5.6.4 allows remote attackers without any credentials to write files to the application's temporary storage. Filament indiscriminately applies Livewire's WithFileUploads trait to every Livewire component embedding a schema - including the panel login form, which has no legitimate file upload need - exposing the upload endpoint publicly. The practical impact is storage exhaustion or inflated cloud storage costs; no public exploit has been identified at time of analysis.
Filament's login page leaks account existence through a measurable timing side-channel, allowing unauthenticated remote attackers to enumerate registered email addresses. Versions 4.0.0 through 4.11.4 and 5.0.0 through 5.6.4 of this widely-used Laravel full-stack component library are affected. The impact is confined to account enumeration - no credentials, session tokens, or other data are exposed - but the disclosed information can seed targeted phishing or credential-stuffing campaigns. No public exploit code has been identified at time of analysis, and this vulnerability is not listed in the CISA KEV catalog.
Recovery code reuse in Filament (Laravel admin panel framework) versions 4.0.0 through 4.11.4 and 5.0.0 through 5.6.4 allows attackers who already possess a victim's password and recovery codes to obtain multiple authenticated sessions per single recovery code by submitting parallel authentication requests. The flaw stems from a TOCTOU race condition (CWE-362) in app-based MFA recovery code validation, undermining the single-use guarantee. No public exploit identified at time of analysis and the vulnerability is fixed in 4.11.5 and 5.6.5.
Filament is a collection of full-stack components for Laravel development. Rated medium severity (CVSS 6.1), this vulnerability is remotely exploitable, no authentication required, low attack complexity. This Cross-Site Scripting (XSS) vulnerability could allow attackers to inject malicious scripts into web pages viewed by other users.