Stored XSS Vulnerability in Filament Framework Affects Laravel Development Tools
CVE-2026-33080

7.3HIGH

Key Information:

Vendor

FilamentPHP

Status
Filament
Vendor
CVE Published:
20 March 2026

What is CVE-2026-33080?

The Filament framework for Laravel has a vulnerability that allows attackers to exploit two table summarizers, Range and Values. These components render raw database values without proper HTML escaping. If user-provided data in the relevant columns is not adequately validated, an attacker could inject malicious HTML or JavaScript. This results in stored XSS, which can compromise user interaction with the tables, executing harmful scripts for unsuspecting users. A fix has been released in versions 4.8.5 and 5.3.5.

Affected Version(s)

filament >= 4.0.0, < 4.8.5 < 4.0.0, 4.8.5

filament >= 5.0.0, < 5.3.5 < 5.0.0, 5.3.5

References

https://github.com/filamentphp/filament/security/advisori...
x_refsource_CONFIRM
https://github.com/filamentphp/filament/commit/efa041aeeb...
x_refsource_MISC
https://github.com/filamentphp/filament/releases/tag/v4.8.5
x_refsource_MISC

CVSS V3.1

Score:
7.3
Severity:
HIGH
Confidentiality:
High
Integrity:
High
Availability:
High
Attack Vector:
Network
Attack Complexity:
Low
Privileges Required:
Low
User Interaction:
Required
Scope:
Unchanged

Timeline

  • Vulnerability published

  • Vulnerability Reserved

.