Description
Filament is a collection of full-stack components for accelerated Laravel development. From 4.0.0 until 4.11.5 and 5.6.5, the ImageColumn and ImageEntry components render raw database values without escaping HTML. Where the data passed to these components isn't validated, an attacker could plant malicious HTML or JavaScript and achieve stored XSS that executes for users who view the table or schema. This vulnerability is fixed in 4.11.5 and 5.6.5.
Published: 2026-06-22
Score: 6.4 Medium
EPSS: n/a
KEV: No
Impact: n/a
Action: n/a
AI Analysis

Impact

Filament’s ImageColumn and ImageEntry components render raw database values without escaping HTML. This flaw allows an attacker to insert malicious markup or JavaScript that is stored in the database and later presented to any user who views the table or schema. The resulting stored XSS can lead to session hijacking, credential theft, or other arbitrary‑client‑side code execution, and the weakness is a classic HTML injection flaw (CWE‑79).

Affected Systems

The vulnerability affects the filamentphp/filament component library. All versions from 4.0.0 up to and including 4.11.4 as well as every 5.x release prior to 5.6.5 are impacted. The flaw is resolved in 4.11.5 and in 5.6.5.

Risk and Exploitability

The CVSS score of 6.4 classifies it as a moderate‑severity vulnerability. No EPSS data is published, and the flaw is not listed in the CISA KEV catalog. Attackers would need the ability to write data that flows into ImageColumn or ImageEntry – typically by creating or editing database records through the web interface – and then convince an end‑user to view the affected table. Because the payload is stored server‑side, any authenticated user who views the table can be impacted.

Generated by OpenCVE AI on June 22, 2026 at 23:24 UTC.

Remediation

No vendor fix or workaround currently provided.

OpenCVE Recommended Actions

  • Upgrade filamentphp/filament to version 4.11.5 or later, or to 5.6.5 or later, where the rendering of ImageColumn and ImageEntry now properly escapes HTML.
  • If an upgrade is not immediately possible, sanitize or validate the input that populates the ImageColumn and ImageEntry fields to eliminate or encode special HTML characters before storing them in the database.
  • As an interim workaround, remove or disable the vulnerable ImageColumn and ImageEntry components and replace any displayed images with a safe rendering approach that escapes HTML output.

Generated by OpenCVE AI on June 22, 2026 at 23:24 UTC.

Tracking

Sign in to view the affected projects.

Advisories

No advisories yet.

History

Mon, 22 Jun 2026 22:00:00 +0000

Type Values Removed Values Added
Description Filament is a collection of full-stack components for accelerated Laravel development. From 4.0.0 until 4.11.5 and 5.6.5, the ImageColumn and ImageEntry components render raw database values without escaping HTML. Where the data passed to these components isn't validated, an attacker could plant malicious HTML or JavaScript and achieve stored XSS that executes for users who view the table or schema. This vulnerability is fixed in 4.11.5 and 5.6.5.
Title Filament: Unvalidated ImageColumn and ImageEntry values can be used for XSS
Weaknesses CWE-79
References
Metrics cvssV3_1

{'score': 6.4, 'vector': 'CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:C/C:L/I:L/A:N'}

Subscriptions

No data.

cve-icon MITRE

Status: PUBLISHED

Assigner: GitHub_M

Published:

Updated: 2026-06-22T21:43:42.489Z

Reserved: 2026-05-20T23:12:43.032Z

Link: CVE-2026-48167

cve-icon Vulnrichment

No data.

cve-icon NVD

No data.

cve-icon Redhat

No data.

cve-icon OpenCVE Enrichment

Updated: 2026-06-22T23:30:05Z

Weaknesses
  • CWE-79

    Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting')