CVE-2026-33080

Filament is a collection of full-stack components for accelerated Laravel development. Versions 4.0.0 through 4.8.4 and 5.0.0 through 5.3.4 have two Filament Table summarizers (Range, Values) that render raw database values without escaping HTML. If there is a lack of validation for the data in the columns that use these summarizers, an attacker could plant malicious HTML / JavaScript and achieve stored XSS that executes for users who view the table with those summarizers. This issue has been patched in versions 4.8.5 and 5.3.5.

CVSS v3 7.3 HIGH

7.3^/10

CVSS v3 : HIGH

Vector :

Exploitability : 2.1 / Impact : 5.2

Attack Vector NETWORK

Attack Complexity LOW

Privileges Required LOW

User Interaction REQUIRED

Confidentiality Impact HIGH

Integrity Impact HIGH

Availability Impact NONE

Scope UNCHANGED

References

Link	Resource
https://github.com/filamentphp/filament/commit/efa041aeeb4b1a99acd48aaa05584993c926d1ed	Patch
https://github.com/filamentphp/filament/releases/tag/v4.8.5	Product Release Notes
https://github.com/filamentphp/filament/releases/tag/v5.3.5	Product Release Notes
https://github.com/filamentphp/filament/security/advisories/GHSA-vv3x-j2x5-36jc	Vendor Advisory

Configurations

Configuration 1 (hide)

OR	cpe:2.3:a:filamentphp:filament::::::::
	cpe:2.3:a:filamentphp:filament::::::::

History

No history.

Information

Published : 2026-03-20 09:16

Updated : 2026-03-23 15:43

NVD link : CVE-2026-33080

Mitre link : CVE-2026-33080

CVE.ORG link : CVE-2026-33080

JSON object : View

Products Affected

filamentphp

filament

CWE

CWE-79

Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting')

CWE-80

Improper Neutralization of Script-Related HTML Tags in a Web Page (Basic XSS)

{"id": "CVE-2026-33080", "cveTags": [], "metrics": {"cvssMetricV31": [{"type": "Secondary", "source": "security-advisories@github.com", "cvssData": {"scope": "UNCHANGED", "version": "3.1", "baseScore": 7.3, "attackVector": "NETWORK", "baseSeverity": "HIGH", "vectorString": "CVSS:3.1/AV:N/AC:L/PR:L/UI:R/S:U/C:H/I:H/A:N", "integrityImpact": "HIGH", "userInteraction": "REQUIRED", "attackComplexity": "LOW", "availabilityImpact": "NONE", "privilegesRequired": "LOW", "confidentialityImpact": "HIGH"}, "impactScore": 5.2, "exploitabilityScore": 2.1}, {"type": "Primary", "source": "nvd@nist.gov", "cvssData": {"scope": "CHANGED", "version": "3.1", "baseScore": 5.4, "attackVector": "NETWORK", "baseSeverity": "MEDIUM", "vectorString": "CVSS:3.1/AV:N/AC:L/PR:L/UI:R/S:C/C:L/I:L/A:N", "integrityImpact": "LOW", "userInteraction": "REQUIRED", "attackComplexity": "LOW", "availabilityImpact": "NONE", "privilegesRequired": "LOW", "confidentialityImpact": "LOW"}, "impactScore": 2.7, "exploitabilityScore": 2.3}]}, "published": "2026-03-20T09:16:16.050", "references": [{"url": "https://github.com/filamentphp/filament/commit/efa041aeeb4b1a99acd48aaa05584993c926d1ed", "tags": ["Patch"], "source": "security-advisories@github.com"}, {"url": "https://github.com/filamentphp/filament/releases/tag/v4.8.5", "tags": ["Product", "Release Notes"], "source": "security-advisories@github.com"}, {"url": "https://github.com/filamentphp/filament/releases/tag/v5.3.5", "tags": ["Product", "Release Notes"], "source": "security-advisories@github.com"}, {"url": "https://github.com/filamentphp/filament/security/advisories/GHSA-vv3x-j2x5-36jc", "tags": ["Vendor Advisory"], "source": "security-advisories@github.com"}], "vulnStatus": "Analyzed", "weaknesses": [{"type": "Primary", "source": "security-advisories@github.com", "description": [{"lang": "en", "value": "CWE-79"}, {"lang": "en", "value": "CWE-80"}]}], "descriptions": [{"lang": "en", "value": "Filament is a collection of full-stack components for accelerated Laravel development. Versions 4.0.0 through 4.8.4 and 5.0.0 through 5.3.4 have two Filament Table summarizers (Range, Values) that render raw database values without escaping HTML. If there is a lack of validation for the data in the columns that use these summarizers, an attacker could plant malicious HTML / JavaScript and achieve stored XSS that executes for users who view the table with those summarizers. This issue has been patched in versions 4.8.5 and 5.3.5."}, {"lang": "es", "value": "Filament es una colecci\u00f3n de componentes full-stack para el desarrollo acelerado de Laravel. Las versiones 4.0.0 a 4.8.4 y 5.0.0 a 5.3.4 tienen dos resumidores de tabla de Filament (Rango, Valores) que renderizan valores brutos de la base de datos sin escapar HTML. Si hay una falta de validaci\u00f3n para los datos en las columnas que usan estos resumidores, un atacante podr\u00eda insertar HTML / JavaScript malicioso y lograr XSS almacenado que se ejecuta para los usuarios que ven la tabla con esos resumidores. Este problema ha sido parcheado en las versiones 4.8.5 y 5.3.5."}], "lastModified": "2026-03-23T15:43:48.920", "configurations": [{"nodes": [{"negate": false, "cpeMatch": [{"criteria": "cpe:2.3:a:filamentphp:filament:*:*:*:*:*:*:*:*", "vulnerable": true, "matchCriteriaId": "0F3FBF1F-313F-4C97-99DE-B68F6FC8B793", "versionEndExcluding": "4.8.5", "versionStartIncluding": "4.0.0"}, {"criteria": "cpe:2.3:a:filamentphp:filament:*:*:*:*:*:*:*:*", "vulnerable": true, "matchCriteriaId": "83E21510-3935-49E1-82E7-DFD7443BB37B", "versionEndExcluding": "5.3.5", "versionStartIncluding": "5.0.0"}], "operator": "OR"}]}], "sourceIdentifier": "security-advisories@github.com"}