Description
Filament is a collection of full-stack components for accelerated Laravel development. Versions 4.0.0 through 4.8.4 and 5.0.0 through 5.3.4 have two Filament Table summarizers (Range, Values) that render raw database values without escaping HTML. If there is a lack of validation for the data in the columns that use these summarizers, an attacker could plant malicious HTML / JavaScript and achieve stored XSS that executes for users who view the table with those summarizers. This issue has been patched in versions 4.8.5 and 5.3.5.
Published: 2026-03-20
Score: 7.3 High
EPSS: < 1% Very Low
KEV: No
Impact: Stored Cross‑Site Scripting (XSS)
Action: Patch Immediately
AI Analysis

Impact

This vulnerability allows an attacker to inject malicious HTML or JavaScript into database fields that are rendered by Filament Table summarizers without escaping. The injected payload is stored persistently and executed whenever a user views the table, enabling stored XSS attacks that can compromise user sessions, exfiltrate data, or modify page content. The weakness is a lack of input validation for summarizer values, identified as CWE‑79 and CWE‑80.

Affected Systems

The issue affects the filamentphp:filament collection of Laravel components. Versions 4.0.0 through 4.8.4 and 5.0.0 through 5.3.4 include vulnerable Range and Values summarizers. The components are used to build full‑stack admin interfaces in Laravel applications.

Risk and Exploitability

The CVSS score is 7.3, indicating a high severity. The EPSS score is below 1%, suggesting a low likelihood of exploitation in the wild. The vulnerability is not listed in the KEV catalog, and there is no known public exploit. The attack vector is inferred to be through any user who can view a table using the vulnerable summarizers; an attacker would first need to insert malicious data into a database column tied to those summarizers, typically via an authenticated or open input path. Once the data is stored, any subsequent viewer of the table will receive the malicious payload.

Generated by OpenCVE AI on March 23, 2026 at 16:25 UTC.

Remediation

No vendor fix or workaround currently provided.

OpenCVE Recommended Actions

  • Apply latest Filament release v4.8.5 or later, or v5.3.5 or later, which patches the XSS vulnerability.
  • If an immediate update is not possible, restrict or sanitize input that populates table columns using the Range or Values summarizers to avoid storing raw HTML or JavaScript.

Generated by OpenCVE AI on March 23, 2026 at 16:25 UTC.

Tracking

Sign in to view the affected projects.

Advisories
Source ID Title
Github GHSA Github GHSA GHSA-vv3x-j2x5-36jc Filament Unvalidated Range and Values summarizer values can be used for XSS
History

Wed, 25 Mar 2026 14:15:00 +0000

Type Values Removed Values Added
Metrics ssvc

{'options': {'Automatable': 'no', 'Exploitation': 'none', 'Technical Impact': 'partial'}, 'version': '2.0.3'}

Mon, 23 Mar 2026 15:45:00 +0000

Type Values Removed Values Added
CPEs cpe:2.3:a:filamentphp:filament:*:*:*:*:*:*:*:*

Fri, 20 Mar 2026 16:30:00 +0000

Type Values Removed Values Added
First Time appeared Filamentphp
Filamentphp filament
Vendors & Products Filamentphp
Filamentphp filament

Fri, 20 Mar 2026 09:15:00 +0000

Type Values Removed Values Added
Description Filament is a collection of full-stack components for accelerated Laravel development. Versions 4.0.0 through 4.8.4 and 5.0.0 through 5.3.4 have two Filament Table summarizers (Range, Values) that render raw database values without escaping HTML. If there is a lack of validation for the data in the columns that use these summarizers, an attacker could plant malicious HTML / JavaScript and achieve stored XSS that executes for users who view the table with those summarizers. This issue has been patched in versions 4.8.5 and 5.3.5.
Title Filament: Unvalidated Range and Values summarizer values can be used for XSS
Weaknesses CWE-79
CWE-80
References
Metrics cvssV3_1

{'score': 7.3, 'vector': 'CVSS:3.1/AV:N/AC:L/PR:L/UI:R/S:U/C:H/I:H/A:N'}

Subscriptions

Filamentphp Filament
cve-icon MITRE

Status: PUBLISHED

Assigner: GitHub_M

Published:

Updated: 2026-03-25T13:46:27.561Z

Reserved: 2026-03-17T19:27:06.345Z

Link: CVE-2026-33080

cve-icon Vulnrichment

Updated: 2026-03-25T13:46:20.625Z

cve-icon NVD

Status : Analyzed

Published: 2026-03-20T09:16:16.050

Modified: 2026-03-23T15:43:48.920

Link: CVE-2026-33080

cve-icon Redhat

No data.

cve-icon OpenCVE Enrichment

Updated: 2026-03-25T14:29:45Z

Weaknesses