Stored XSS Vulnerability in Filament Components for Laravel by Filament
CVE-2026-48167

6.4MEDIUM

Key Information:

Vendor: FilamentPHP
Status: Filament
Vendor: CVE Published:; 22 June 2026

🔔 Create FilamentPHP Vulnerability Alert

What is CVE-2026-48167?

Filament components, used in Laravel development, are susceptible to a stored XSS vulnerability affecting versions 4.0.0 to 4.11.5 and 5.6.5. The ImageColumn and ImageEntry components improperly render raw database values without escaping HTML. If an attacker injects malicious HTML or JavaScript into the database, it can execute upon user interaction when viewing the table or schema. This flaw poses a significant risk to users and has been addressed in subsequent releases.

Affected Version(s)

filament >= 4.0.0, < 4.11.5 < 4.0.0, 4.11.5

filament >= 5.0.0, < 5.6.5 < 5.0.0, 5.6.5

References

https://github.com/filamentphp/filament/security/advisori...

x_refsource_CONFIRM

CVSS V3.1

Score:

6.4

Severity:

MEDIUM

Confidentiality:

Low

Integrity:

Low

Availability:

Low

Attack Vector:

Network

Attack Complexity:

Low

Privileges Required:

Low

User Interaction:

None

Scope:

Changed

Download the Critical Vulnerability Management Cheat Sheet

Timeline

Vulnerability published
Jun 22, 2026
Vulnerability Reserved
May 20, 2026

CVE-2026-48167 Data

JSON