Timing Discrepancy in Filament for Laravel by Filament
CVE-2026-48166

5.3MEDIUM

Key Information:

Vendor: FilamentPHP
Status: Filament
Vendor: CVE Published:; 22 June 2026

🔔 Create FilamentPHP Vulnerability Alert

What is CVE-2026-48166?

Filament, a collection of full-stack components designed to accelerate Laravel development, contains a timing discrepancy in its login page that can be exploited by unauthenticated attackers. This vulnerability enables them to ascertain whether a registered account exists for a given email address. Although the exposure is limited to account existence disclosure, it poses a risk by potentially allowing attackers to gather information about users. The issue has been resolved in Filament versions 4.11.5 and 5.6.5.

Affected Version(s)

filament >= 4.0.0, < 4.11.5 < 4.0.0, 4.11.5

filament >= 5.0.0, < 5.6.5 < 5.0.0, 5.6.5

References

https://github.com/filamentphp/filament/security/advisori...

x_refsource_CONFIRM

CVSS V3.1

Score:

5.3

Severity:

MEDIUM

Confidentiality:

Low

Integrity:

None

Availability:

Low

Attack Vector:

Network

Attack Complexity:

Low

Privileges Required:

None

User Interaction:

None

Scope:

Unchanged

Download the Critical Vulnerability Management Cheat Sheet

Timeline

Vulnerability published
Jun 22, 2026
Vulnerability Reserved
May 20, 2026

CVE-2026-48166 Data

JSON