Filament: Unvalidated ImageColumn and ImageEntry values can be used for...

6.4 / 10

MEDIUM

CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:C/C:L/I:L/A:N

Description

Filament is a collection of full-stack components for accelerated Laravel development. From 4.0.0 until 4.11.5 and 5.6.5, the ImageColumn and ImageEntry components render raw database values without escaping HTML. Where the data passed to these components isn't validated, an attacker could plant malicious HTML or JavaScript and achieve stored XSS that executes for users who view the table or schema. This vulnerability is fixed in 4.11.5 and 5.6.5.

Basic Information

ID CVE-2026-48167

Source GitHub_M

Published Jun 22, 2026 at 21:43

Affected Product

Vendor filamentphp

Product filament

Version >= 4.0.0, < 4.11.5

Affected Versions filamentphp filament >= 4.0.0, < 4.11.5
filamentphp filament >= 5.0.0, < 5.6.5

CWE Classification

CWE-79

References

github.com /filamentphp/filament/security/advisories/GHSA-3fc8-8hp6-6jr4

{
    "lastseen": "",
    "description": "Filament is a collection of full-stack components for accelerated Laravel development. From 4.0.0 until 4.11.5 and 5.6.5, the ImageColumn and ImageEntry components render raw database values without escaping HTML. Where the data passed to these components isn't validated, an attacker could plant malicious HTML or JavaScript and achieve stored XSS that executes for users who view the table or schema. This vulnerability is fixed in 4.11.5 and 5.6.5.",
    "published": "2026-06-22T21:43:42.489Z",
    "modified": "2026-06-22T21:43:42.489Z",
    "type": "cve",
    "title": "Filament: Unvalidated ImageColumn and ImageEntry values can be used for XSS",
    "source": "GitHub_M",
    "references": "https://github.com/filamentphp/filament/security/advisories/GHSA-3fc8-8hp6-6jr4",
    "id": "CVE-2026-48167",
    "bulletinFamily": "",
    "cwe": [
        "CWE-79"
    ],
    "cvelist": null,
    "sourceData": "filamentphp filament >= 4.0.0, < 4.11.5\nfilamentphp filament >= 5.0.0, < 5.6.5",
    "sourceHref": "",
    "cvss": {
        "score": 6.4,
        "severity": "MEDIUM",
        "vector": "CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:C/C:L/I:L/A:N",
        "version": "3.1"
    },
    "cvss2": [],
    "cvss3": {
        "version": "",
        "vectorString": "",
        "baseScore": 0,
        "baseSeverity": "",
        "attackVector": "",
        "attackComplexity": "",
        "privilegesRequired": "",
        "userInteraction": "",
        "scope": "",
        "confidentialityImpact": "",
        "integrityImpact": "",
        "availabilityImpact": "",
        "cvssV3": {
            "version": "",
            "vectorString": "",
            "baseScore": 0,
            "baseSeverity": "",
            "attackVector": "",
            "attackComplexity": "",
            "privilegesRequired": "",
            "userInteraction": "",
            "scope": "",
            "confidentialityImpact": "",
            "integrityImpact": "",
            "availabilityImpact": ""
        }
    },
    "href": "",
    "category_name": "CVE",
    "post_link": "",
    "product": "filament",
    "version": ">= 4.0.0, < 4.11.5",
    "vendor": "filamentphp",
    "ai_description": "",
    "ai_severity": "",
    "ai_vendor": "",
    "ai_product": "",
    "ai_version": "",
    "ai_score": 0
}

Filament: Unvalidated ImageColumn and ImageEntry values can be used for XSS_CVE-2026-48167