Filament: Timing-based user enumeration on login page_CVE-2026-48166

5.3 / 10

MEDIUM

CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:L/I:N/A:N

Description

Filament is a collection of full-stack components for accelerated Laravel development. From 4.0.0 until 4.11.5 and 5.6.5, the login page has an observable timing discrepancy that allows unauthenticated attackers to enumerate registered email addresses. The impact is limited to disclosing whether an account exists for a given email. This vulnerability is fixed in 4.11.5 and 5.6.5.

Basic Information

ID CVE-2026-48166

Source GitHub_M

Published Jun 22, 2026 at 21:40

Modified Jun 22, 2026 at 21:42

Affected Product

Vendor filamentphp

Product filament

Version >= 4.0.0, < 4.11.5

Affected Versions filamentphp filament >= 4.0.0, < 4.11.5
filamentphp filament >= 5.0.0, < 5.6.5

CWE Classification

CWE-208

References

github.com /filamentphp/filament/security/advisories/GHSA-5w46-g9pq-wh6f

{
    "lastseen": "",
    "description": "Filament is a collection of full-stack components for accelerated Laravel development. From 4.0.0 until 4.11.5 and 5.6.5, the login page has an observable timing discrepancy that allows unauthenticated attackers to enumerate registered email addresses. The impact is limited to disclosing whether an account exists for a given email. This vulnerability is fixed in 4.11.5 and 5.6.5.",
    "published": "2026-06-22T21:40:01.897Z",
    "modified": "2026-06-22T21:42:37.340Z",
    "type": "cve",
    "title": "Filament: Timing-based user enumeration on login page",
    "source": "GitHub_M",
    "references": "https://github.com/filamentphp/filament/security/advisories/GHSA-5w46-g9pq-wh6f",
    "id": "CVE-2026-48166",
    "bulletinFamily": "",
    "cwe": [
        "CWE-208"
    ],
    "cvelist": null,
    "sourceData": "filamentphp filament >= 4.0.0, < 4.11.5\nfilamentphp filament >= 5.0.0, < 5.6.5",
    "sourceHref": "",
    "cvss": {
        "score": 5.3,
        "severity": "MEDIUM",
        "vector": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:L/I:N/A:N",
        "version": "3.1"
    },
    "cvss2": [],
    "cvss3": {
        "version": "",
        "vectorString": "",
        "baseScore": 0,
        "baseSeverity": "",
        "attackVector": "",
        "attackComplexity": "",
        "privilegesRequired": "",
        "userInteraction": "",
        "scope": "",
        "confidentialityImpact": "",
        "integrityImpact": "",
        "availabilityImpact": "",
        "cvssV3": {
            "version": "",
            "vectorString": "",
            "baseScore": 0,
            "baseSeverity": "",
            "attackVector": "",
            "attackComplexity": "",
            "privilegesRequired": "",
            "userInteraction": "",
            "scope": "",
            "confidentialityImpact": "",
            "integrityImpact": "",
            "availabilityImpact": ""
        }
    },
    "href": "",
    "category_name": "CVE",
    "post_link": "",
    "product": "filament",
    "version": ">= 4.0.0, < 4.11.5",
    "vendor": "filamentphp",
    "ai_description": "",
    "ai_severity": "",
    "ai_vendor": "",
    "ai_product": "",
    "ai_version": "",
    "ai_score": 0
}