EUVD-2026-38394

Filament: Unauthenticated temporary file upload on auth pages...

EUVD-2026-38393

Filament: Timing-based user enumeration on login page...

CVE-2026-55409

Filament is a collection of full-stack components for accelerated Laravel development. From 3.0.0 until 3.3.53, a disabled RichEditor field rendered its raw state without sanitizing HTML. Where the data stored in this field's state isn't sanitized already when the form state was filled, an attack...

CVE-2026-48500

Filament is a collection of full-stack components for accelerated Laravel development. From 3.0.0 until 3.3.52, 4.11.5, and 5.6.5, any schema can contain a file upload form field, so Filament applies Livewire's WithFileUploads trait to the Livewire component the schema is embedded in. However, so...

CVE-2026-48067

Filament is a collection of full-stack components for accelerated Laravel development. From filament/actions 4.0.0 until 4.11.4 and 5.6.4 and from filament/tables 3.0.0 until 3.3.51, the recordSelectOptionsQuery method may be used to scope the options available in the Select field for AttachActio...

CVE-2026-48166

Filament is a collection of full-stack components for accelerated Laravel development. From 4.0.0 until 4.11.5 and 5.6.5, the login page has an observable timing discrepancy that allows unauthenticated attackers to enumerate registered email addresses. The impact is limited to disclosing whether ...

CVE-2026-48167

Filament is a collection of full-stack components for accelerated Laravel development. From 4.0.0 until 4.11.5 and 5.6.5, the ImageColumn and ImageEntry components render raw database values without escaping HTML. Where the data passed to these components isn't validated, an attacker could plant...

CVE-2026-55409 Filament: Disabled RichEditor field state can be used for XSS

Filament is a collection of full-stack components for accelerated Laravel development. From 3.0.0 until 3.3.53, a disabled RichEditor field rendered its raw state without sanitizing HTML. Where the data stored in this field's state isn't sanitized already when the form state was filled, an attack...

CVE-2026-55409

Filament (Laravel) v3 contains a vulnerability where a disabled RichEditor field renders its raw HTML state without sanitization. If the form state data isn’t sanitized when populated, an attacker could inject malicious HTML/JavaScript, causing XSS to execute for users viewing the form. Affected ...

CVE-2026-48067

CVE-2026-48067 affects Filament components where the recordSelectOptionsQuery() used to scope options in AttachAction and AssociateAction Select fields did not apply the same scope in validation. From filament/actions 4.0.0–4.11.4 and 5.6.4, and filament/tables 3.0.0–3.3.51, an attacker could tri...

CVE-2026-48067 Filament: Inconsistent scope enforcement for AttachAction and AssociateAction Select fields

Filament is a collection of full-stack components for accelerated Laravel development. From filament/actions 4.0.0 until 4.11.4 and 5.6.4 and from filament/tables 3.0.0 until 3.3.51, the recordSelectOptionsQuery method may be used to scope the options available in the Select field for AttachActio...

CVE-2026-48167

CVE-2026-48167 (Filament) affects the ImageColumn and ImageEntry components of Filament (Laravel ecosystem). From versions 4.0.0 through 4.11.5 and 5.6.5, these components render raw database values without HTML escaping, enabling stored XSS if unvalidated data is passed. The vulnerability impact...

CVE-2026-48167 Filament: Unvalidated ImageColumn and ImageEntry values can be used for XSS

Filament is a collection of full-stack components for accelerated Laravel development. From 4.0.0 until 4.11.5 and 5.6.5, the ImageColumn and ImageEntry components render raw database values without escaping HTML. Where the data passed to these components isn't validated, an attacker could plant...

CVE-2026-48500

Summary: Filament (Laravel components) had an unauthenticated temporary file upload issue on some auth-related schemas. Affected versions: 3.0.0–3.3.52, 4.11.5, and 5.6.5. Root cause: The Livewire component embeddings could apply WithFileUploads to forms that don’t require uploads, allowing unaut...

CVE-2026-48500 Filament: Unauthenticated temporary file upload on auth pages

Filament is a collection of full-stack components for accelerated Laravel development. From 3.0.0 until 3.3.52, 4.11.5, and 5.6.5, any schema can contain a file upload form field, so Filament applies Livewire's WithFileUploads trait to the Livewire component the schema is embedded in. However, so...

CVE-2026-48166

CVE-2026-48166 — Filament timing-based user enumeration on login page . Affects Filament login page in versions 4.0.0–4.11.5 and 5.6.5 of Filament (Laravel component library). An observable timing discrepancy on login allows unauthenticated attackers to determine whether a given email is register...

CVE-2026-48166 Filament: Timing-based user enumeration on login page

Filament is a collection of full-stack components for accelerated Laravel development. From 4.0.0 until 4.11.5 and 5.6.5, the login page has an observable timing discrepancy that allows unauthenticated attackers to enumerate registered email addresses. The impact is limited to disclosing whether ...

CVE-2026-48505

Filament’s MFA recovery-code handling (versions 4.0.0–4.11.5 and 5.6.5) allows the same recovery code to be reused under concurrent submissions. When recovery codes are enabled, an attacker with the user’s password and codes can establish multiple authenticated sessions per code, extending access...

CVE-2026-48505 Filament: Multi-factor authentication (app) recovery codes can still be used multiple times via concurrent submission

Filament is a collection of full-stack components for accelerated Laravel development. From 4.0.0 until 4.11.5 and 5.6.5, a flaw in the handling of recovery codes for app-based multi-factor authentication allows the same recovery code to be reused via concurrent submission. This issue does not...

PT-2026-51388

Name of the Vulnerable Software and Affected Versions Filament versions prior to 4.11.5 Filament versions prior to 5.6.5 Description The ImageColumn and ImageEntry components render raw database values without escaping HTML. If the data passed to these components is not validated, an attacker can...