Description
Filament is a collection of full-stack components for accelerated Laravel development. From 3.0.0 until 3.3.53, a disabled RichEditor field rendered its raw state without sanitizing HTML. Where the data stored in this field's state isn't sanitized already when the form state was filled, an attacker could plant malicious HTML or JavaScript and achieve XSS that executes for users who view the form. This vulnerability is fixed in 3.3.53.
Published: 2026-06-22
Score: 7.6 High
EPSS: < 1% Very Low
KEV: No
Impact: n/a
Action: n/a
AI Analysis

Impact

An XSS vulnerability in Filament occurs when a disabled RichEditor field renders raw, unsanitized HTML. If an attacker can insert malicious HTML or JavaScript into the field’s stored state, the code will execute in the browsers of any users who view the form. This flaw allows arbitrary script execution on the client side, potentially compromising confidentiality and integrity of form data for all viewers.

Affected Systems

Filament PHP’s Filament package, versions 3.0.0 through 3.3.53, used in Laravel applications. The issue is resolved in 3.3.53 and later.

Risk and Exploitability

The CVSS score is 7.6, indicating high severity. The EPSS score is not available, and the vulnerability is not listed in CISA KEV, suggesting no currently known active exploitation. The most likely attack vector involves a web-based exploitation where an attacker injects malicious content into the RichEditor before the form is rendered, forcing it to be exposed to other users.

Generated by OpenCVE AI on June 22, 2026 at 23:51 UTC.

Remediation

No vendor fix or workaround currently provided.

OpenCVE Recommended Actions

  • Upgrade Filament to version 3.3.53 or newer where the issue is fixed
  • If upgrading is delayed, ensure any content stored in the RichEditor field is sanitized before being rendered, especially when the field is disabled
  • Consider disabling or removing the RichEditor field from forms where it is not needed, or replace it with a plain text field to eliminate the risk

Generated by OpenCVE AI on June 22, 2026 at 23:51 UTC.

Tracking

Sign in to view the affected projects.

Advisories
Source ID Title
Github GHSA Github GHSA GHSA-m9cv-24rx-8mv7 Filament: Disabled RichEditor field state can be used for XSS
History

Tue, 23 Jun 2026 13:30:00 +0000

Type Values Removed Values Added
Metrics ssvc

{'options': {'Automatable': 'no', 'Exploitation': 'none', 'Technical Impact': 'partial'}, 'version': '2.0.3'}


Tue, 23 Jun 2026 01:30:00 +0000

Type Values Removed Values Added
First Time appeared Filamentphp
Filamentphp filament
Vendors & Products Filamentphp
Filamentphp filament

Mon, 22 Jun 2026 22:00:00 +0000

Type Values Removed Values Added
Description Filament is a collection of full-stack components for accelerated Laravel development. From 3.0.0 until 3.3.53, a disabled RichEditor field rendered its raw state without sanitizing HTML. Where the data stored in this field's state isn't sanitized already when the form state was filled, an attacker could plant malicious HTML or JavaScript and achieve XSS that executes for users who view the form. This vulnerability is fixed in 3.3.53.
Title Filament: Disabled RichEditor field state can be used for XSS
Weaknesses CWE-79
References
Metrics cvssV3_1

{'score': 7.6, 'vector': 'CVSS:3.1/AV:N/AC:L/PR:L/UI:R/S:C/C:H/I:L/A:N'}


Subscriptions

Filamentphp Filament
cve-icon MITRE

Status: PUBLISHED

Assigner: GitHub_M

Published:

Updated: 2026-06-23T12:15:00.867Z

Reserved: 2026-06-16T21:48:43.124Z

Link: CVE-2026-55409

cve-icon Vulnrichment

Updated: 2026-06-23T12:14:57.504Z

cve-icon NVD

No data.

cve-icon Redhat

No data.

cve-icon OpenCVE Enrichment

Updated: 2026-06-23T01:15:16Z

Weaknesses
  • CWE-79

    Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting')