Description
Filament is a collection of full-stack components for accelerated Laravel development. From 3.0.0 until 3.3.53, a disabled RichEditor field rendered its raw state without sanitizing HTML. Where the data stored in this field's state isn't sanitized already when the form state was filled, an attacker could plant malicious HTML or JavaScript and achieve XSS that executes for users who view the form. This vulnerability is fixed in 3.3.53.
Published: 2026-06-22
Score: 7.6 High
EPSS: n/a
KEV: No
Impact: n/a
Action: n/a
AI Analysis

Impact

An XSS vulnerability in Filament occurs when a disabled RichEditor field renders raw, unsanitized HTML. If an attacker can insert malicious HTML or JavaScript into the field’s stored state, the code will execute in the browsers of any users who view the form. This flaw allows arbitrary script execution on the client side, potentially compromising confidentiality and integrity of form data for all viewers.

Affected Systems

Filament PHP’s Filament package, versions 3.0.0 through 3.3.53, used in Laravel applications. The issue is resolved in 3.3.53 and later.

Risk and Exploitability

The CVSS score is 7.6, indicating high severity. The EPSS score is not available, and the vulnerability is not listed in CISA KEV, suggesting no currently known active exploitation. The most likely attack vector involves a web-based exploitation where an attacker injects malicious content into the RichEditor before the form is rendered, forcing it to be exposed to other users.

Generated by OpenCVE AI on June 22, 2026 at 23:51 UTC.

Remediation

No vendor fix or workaround currently provided.

OpenCVE Recommended Actions

  • Upgrade Filament to version 3.3.53 or newer where the issue is fixed
  • If upgrading is delayed, ensure any content stored in the RichEditor field is sanitized before being rendered, especially when the field is disabled
  • Consider disabling or removing the RichEditor field from forms where it is not needed, or replace it with a plain text field to eliminate the risk

Generated by OpenCVE AI on June 22, 2026 at 23:51 UTC.

Tracking

Sign in to view the affected projects.

Advisories
Source ID Title
Github GHSA Github GHSA GHSA-m9cv-24rx-8mv7 Filament: Disabled RichEditor field state can be used for XSS
History

Mon, 22 Jun 2026 22:00:00 +0000

Type Values Removed Values Added
Description Filament is a collection of full-stack components for accelerated Laravel development. From 3.0.0 until 3.3.53, a disabled RichEditor field rendered its raw state without sanitizing HTML. Where the data stored in this field's state isn't sanitized already when the form state was filled, an attacker could plant malicious HTML or JavaScript and achieve XSS that executes for users who view the form. This vulnerability is fixed in 3.3.53.
Title Filament: Disabled RichEditor field state can be used for XSS
Weaknesses CWE-79
References
Metrics cvssV3_1

{'score': 7.6, 'vector': 'CVSS:3.1/AV:N/AC:L/PR:L/UI:R/S:C/C:H/I:L/A:N'}

Subscriptions

No data.

cve-icon MITRE

Status: PUBLISHED

Assigner: GitHub_M

Published:

Updated: 2026-06-22T21:47:51.607Z

Reserved: 2026-06-16T21:48:43.124Z

Link: CVE-2026-55409

cve-icon Vulnrichment

No data.

cve-icon NVD

No data.

cve-icon Redhat

No data.

cve-icon OpenCVE Enrichment

Updated: 2026-06-23T00:00:16Z

Weaknesses
  • CWE-79

    Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting')