Description
Filament is a collection of full-stack components for accelerated Laravel development. From 3.0.0 until 3.3.52, 4.11.5, and 5.6.5, any schema can contain a file upload form field, so Filament applies Livewire's WithFileUploads trait to the Livewire component the schema is embedded in. However, some schemas, such as the panel login form, do not require file uploads, and exposing unauthenticated temporary file uploads on these components is not an acceptable risk. On these components, an unauthenticated attacker could upload arbitrary files to the application's temporary storage, which could be abused to exhaust disk space or inflate storage costs. This vulnerability is fixed in 3.3.52, 4.11.5, and 5.6.5.
Published: 2026-06-22
Score: 6.5 Medium
EPSS: n/a
KEV: No
Impact: n/a
Action: n/a
AI Analysis

Impact

A vulnerability in Filament allows an unauthenticated attacker to upload arbitrary files to the application's temporary storage via schema‑based file upload forms present on authentication pages. The uploaded data can be used to consume disk space rapidly or inflate storage costs, effectively causing a denial‑of‑service or financial impact. The weakness is rooted in missing access control over temporary uploads and is classified as an authorization failure.

Affected Systems

The affected package is Filament, a collection of front‑end components for Laravel. Versions 3.0.0 through 3.3.52, 4.11.5, and 5.6.5 are vulnerable. The bug is present in any schema that contains a file upload field, even when the form does not logically require uploads, such as the panel login form.

Risk and Exploitability

The CVSS score is 6.5, indicating a moderate severity. Since no exploit is publicly available and the EPSS score is not reported, the likelihood of exploitation is uncertain but non‑zero. The issue is not listed in the CISA KEV catalog. An attacker would need only unauthenticated access to the login or other authentication pages with a schema that includes a file upload field; no additional privileges or injection vectors are required.

Generated by OpenCVE AI on June 22, 2026 at 23:24 UTC.

Remediation

No vendor fix or workaround currently provided.

OpenCVE Recommended Actions

  • Upgrade Filament to a patched release: 3.3.52 or newer, 4.11.5 or newer, or 5.6.5 or newer
  • If upgrading is not immediately possible, disable file uploads on authentication components by removing the file field from the schema or by disabling the WithFileUploads trait for those Livewire components
  • Set limits or cleanup routines on the temporary storage directory to prevent disk exhaustion or cost escalation

Generated by OpenCVE AI on June 22, 2026 at 23:24 UTC.

Tracking

Sign in to view the affected projects.

Advisories

No advisories yet.

History

Mon, 22 Jun 2026 22:00:00 +0000

Type Values Removed Values Added
Description Filament is a collection of full-stack components for accelerated Laravel development. From 3.0.0 until 3.3.52, 4.11.5, and 5.6.5, any schema can contain a file upload form field, so Filament applies Livewire's WithFileUploads trait to the Livewire component the schema is embedded in. However, some schemas, such as the panel login form, do not require file uploads, and exposing unauthenticated temporary file uploads on these components is not an acceptable risk. On these components, an unauthenticated attacker could upload arbitrary files to the application's temporary storage, which could be abused to exhaust disk space or inflate storage costs. This vulnerability is fixed in 3.3.52, 4.11.5, and 5.6.5.
Title Filament: Unauthenticated temporary file upload on auth pages
Weaknesses CWE-862
References
Metrics cvssV3_1

{'score': 6.5, 'vector': 'CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:L/A:L'}

Subscriptions

No data.

cve-icon MITRE

Status: PUBLISHED

Assigner: GitHub_M

Published:

Updated: 2026-06-22T21:41:17.776Z

Reserved: 2026-05-21T15:33:08.292Z

Link: CVE-2026-48500

cve-icon Vulnrichment

No data.

cve-icon NVD

No data.

cve-icon Redhat

No data.

cve-icon OpenCVE Enrichment

Updated: 2026-06-22T23:30:05Z

Weaknesses