135 matches found
EUVD-2026-38394
Filament: Unauthenticated temporary file upload on auth pages...
PT-2026-51389
Name of the Vulnerable Software and Affected Versions Filament versions prior to 3.3.52 Filament versions prior to 4.11.5 Filament versions prior to 5.6.5 Description Filament applies Livewire's WithFileUploads trait to components where schemas may contain file upload fields. Certain schemas, suc...
Laravel Livewire v3 - Remote Command Execution
Livewire v3 Laravel contains a vulnerability in its component hydration/update mechanism that can be exploited to reach remote command execution RCE without authentication under certain conditions. id: CVE-2025-54068 info: name: Laravel Livewire v3 - Remote Command Execution author: flame-11...
GHSA-7Q3W-XQJW-G3CR Filament has inconsistent scope enforcement for its AttachAction and AssociateAction Select fields
The recordSelectOptionsQuery method may be used to scope the options available in the Select field for AttachAction and AssociateAction. However, the built-in validation rule for these fields did not apply the same scope. As a result, a user who can trigger these actions could tamper with the...
PT-2026-48811
Name of the Vulnerable Software and Affected Versions filament/actions versions 4.0.0 through 4.11.3 filament/actions versions 5.0.0 through 5.6.3 filament/tables versions 3.0.0 through 3.3.50 Description The recordSelectOptionsQuery method is used to scope options available in the Select field f...
Shopper: Multiple data integrity and disclosure issues in admin Livewire components
Impact Three related defects on admin Livewire components allowed data tampering, sensitive data disclosure, and stored XSS: - IDOR via unlocked properties. Several Livewire components in the admin panel exposed Eloquent model identifiers as public properties without the Locked attribute. An...
GHSA-HR9V-R8R2-HG7J Shopper: Multiple data integrity and disclosure issues in admin Livewire components
Impact Three related defects on admin Livewire components allowed data tampering, sensitive data disclosure, and stored XSS: - IDOR via unlocked properties. Several Livewire components in the admin panel exposed Eloquent model identifiers as public properties without the Locked attribute. An...
Shopper: Missing authorization on Product admin Livewire sub-form components
Impact Sub-form Livewire components used in the product editor Edit, Inventory, Seo, Shipping, Files had no authorization on their store method. Any authenticated panel user, regardless of role, could mutate any product's pricing, stock, SEO metadata, shipping dimensions, and attached media witho...
EUVD-2026-33408
Shopper: Missing authorization on Product admin Livewire sub-form components...
GHSA-H4MP-G9C6-XWPH Shopper: Missing authorization on Product admin Livewire sub-form components
Impact Sub-form Livewire components used in the product editor Edit, Inventory, Seo, Shipping, Files had no authorization on their store method. Any authenticated panel user, regardless of role, could mutate any product's pricing, stock, SEO metadata, shipping dimensions, and attached media witho...
PT-2026-47090
Impact Three related defects on admin Livewire components allowed data tampering, sensitive data disclosure, and stored XSS: - IDOR via unlocked properties. Several Livewire components in the admin panel exposed Eloquent model identifiers as public properties without the Locked attribute. An...
CVE-2026-10284
A flaw has been found in DevaslanPHP project-management up to 2.0.0-beta1. Affected by this vulnerability is the function editComment/doDeleteComment of the file app/Filament/Resources/TicketResource/Pages/ViewTicket.php of the component Livewire Handler. Executing a manipulation can lead to...
CVE-2026-47742
Shopper is a Headless e-commerce Admin Panel. Prior to 2.8.0, Sub-form Livewire components used in the product editor Edit, Inventory, Seo, Shipping, Files had no authorization on their store method. Any authenticated panel user, regardless of role, could mutate any product's pricing, stock, SEO...
CVE-2026-10284
A flaw has been found in DevaslanPHP project-management up to 2.0.0-beta1. Affected by this vulnerability is the function editComment/doDeleteComment of the file app/Filament/Resources/TicketResource/Pages/ViewTicket.php of the component Livewire Handler. Executing a manipulation can lead to...
CVE-2026-10284 DevaslanPHP project-management Livewire ViewTicket.php doDeleteComment improper authorization
A flaw has been found in DevaslanPHP project-management up to 2.0.0-beta1. Affected by this vulnerability is the function editComment/doDeleteComment of the file app/Filament/Resources/TicketResource/Pages/ViewTicket.php of the component Livewire Handler. Executing a manipulation can lead to...
CVE-2026-10284 DevaslanPHP project-management Livewire ViewTicket.php doDeleteComment improper authorization
A flaw has been found in DevaslanPHP project-management up to 2.0.0-beta1. Affected by this vulnerability is the function editComment/doDeleteComment of the file app/Filament/Resources/TicketResource/Pages/ViewTicket.php of the component Livewire Handler. Executing a manipulation can lead to...
EUVD-2026-33752
A flaw has been found in DevaslanPHP project-management up to 2.0.0-beta1. Affected by this vulnerability is the function editComment/doDeleteComment of the file app/Filament/Resources/TicketResource/Pages/ViewTicket.php of the component Livewire Handler. Executing a manipulation can lead to...
CVE-2026-10284
The CVE-2026-10284 entry concerns DevaslanPHP Project-Management up to version 2.0.0-beta1. The vulnerability affects the Livewire Handler component, specifically the editComment and doDeleteComment functions within app/Filament/Resources/TicketResource/Pages/ViewTicket.php. The root cause is imp...
PT-2026-45549
A flaw has been found in DevaslanPHP project-management up to 2.0.0-beta1. Affected by this vulnerability is the function editComment/doDeleteComment of the file app/Filament/Resources/TicketResource/Pages/ViewTicket.php of the component Livewire Handler. Executing a manipulation can lead to...
Project Management 授权问题漏洞
Project Management is an open-source project management tool developed by DEVASLAN and released under the PHP open-source license. Versions of Project Management 2.0.0-beta1 and earlier contained vulnerabilities related to authorization. These vulnerabilities stemmed from improper authorization i...