CVE-2026-55409

Filament (Laravel) v3 contains a vulnerability where a disabled RichEditor field renders its raw HTML state without sanitization. If the form state data isn’t sanitized when populated, an attacker could inject malicious HTML/JavaScript, causing XSS to execute for users viewing the form. Affected ...

CVE-2026-55409 Filament: Disabled RichEditor field state can be used for XSS

Filament is a collection of full-stack components for accelerated Laravel development. From 3.0.0 until 3.3.53, a disabled RichEditor field rendered its raw state without sanitizing HTML. Where the data stored in this field's state isn't sanitized already when the form state was filled, an attack...

Filament: Disabled RichEditor field state can be used for XSS

In Filament v3, a disabled RichEditor field rendered its raw state without sanitizing HTML. Where the data stored in this field's state isn't sanitized already when the form state was filled, an attacker could plant malicious HTML or JavaScript and achieve XSS that executes for users who view the...

PT-2026-50597

Name of the Vulnerable Software and Affected Versions Filament versions 3.0.0 through 3.3.52 Description A disabled RichEditor field renders its raw state without sanitizing HTML. If the data stored in the field's state was not previously sanitized when the form state was filled, an attacker can...

October CMS Has Stored XSS In Backend Editor Markup Classes

A stored cross-site scripting XSS vulnerability was identified in the Backend Editor Settings. The Markup Classes fields used for paragraph styles, inline styles, table styles, etc. did not sanitize input to valid CSS class name characters. Malicious values were rendered unsanitized in Froala...

CVE-2026-24906

October is a Content Management System CMS and web platform. Versions prior to 3.7.14 and 4.1.10 contain a Stored Cross-Site Scripting XSS vulnerability in the Backend Editor Settings. The Markup Classes fields used for paragraph styles, inline styles, table styles, etc. did not sanitize input to...

CVE-2020-4061

In October from version 1.0.319 and before version 1.0.467, pasting content copied from malicious websites into the Froala richeditor could result in a successful self-XSS attack. This has been fixed in 1.0.467...

CVE-2020-4061

In October from version 1.0.319 and before version 1.0.467, pasting content copied from malicious websites into the Froala richeditor could result in a successful self-XSS attack. This has been fixed in 1.0.467...

Design/Logic Flaw

In October from version 1.0.319 and before version 1.0.467, pasting content copied from malicious websites into the Froala richeditor could result in a successful self-XSS attack. This has been fixed in 1.0.467...

CVE-2020-4061 Cross-site Scripting in OctoberPotential self-XSS when pasting content from malicious websites

In October from version 1.0.319 and before version 1.0.467, pasting content copied from malicious websites into the Froala richeditor could result in a successful self-XSS attack. This has been fixed in 1.0.467...

CVE-2020-4061

CVE-2020-4061 affects October CMS’s Froala Rich Editor. Versions 1.0.319 through before 1.0.467 allow self-XSS when pasting content from malicious sites. The issue appears in the clipboard handling of the editor and has been fixed in 1.0.467. Remediation is to upgrade to 1.0.467 or apply the prov...

Cross-site Scripting in October

Impact Pasting content copied from malicious websites into the Froala richeditor could result in a successful self-XSS attack. Patches Issue has been patched in Build 467 v1.0.467. Workarounds Apply https://github.com/octobercms/october/commit/b384954a29b89117e1c0d6035b3ede4f46df67c5 to your...

Vanilla: Hidden Stored XSS in nested post embeds

Summary: Comments can be crafted in a way that when quoted will trigger a hidden stored XSS payload. Requires initial user interaction. Description: When quoting a comment, an attacker can edit the insert embed-external data url field to contain a string which when parsed, can result in the...

Vanilla: Stored XSS in embedded posts containing images

Summary: Embedded posts containing images can be maliciously crafted to insert Javascript code to run on page load. Description: Steps to reproduce: 1. Ensure you are logged into an account no special permissions are needed 2. Navigate to any page with the richEditor component e.g. any forum post...