CVE-2026-33080

March 20, 2026, 1:37 p.m.

7.3
High

Description

Filament is a collection of full-stack components for accelerated Laravel development. Versions 4.0.0 through 4.8.4 and 5.0.0 through 5.3.4 have two Filament Table summarizers (Range, Values) that render raw database values without escaping HTML. If there is a lack of validation for the data in the columns that use these summarizers, an attacker could plant malicious HTML / JavaScript and achieve stored XSS that executes for users who view the table with those summarizers. This issue has been patched in versions 4.8.5 and 5.3.5.

Product(s) Impacted

Vendor Product Versions
Filament
  • Filament
  • 4.0.0-4.8.4, 5.0.0-5.3.4

Weaknesses

Common security weaknesses mapped to this vulnerability.

CWE-79
Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting')
The product does not neutralize or incorrectly neutralizes user-controllable input before it is placed in output that is used as a web page that is served to other users.

*CPE(s)

Affected systems and software identified for this CVE.

Type Vendor Product Version Update Edition Language Software Edition Target Software Target Hardware Other Information
a filament filament 4.0.0-4.8.4 / / / / / / /
a filament filament 5.0.0-5.3.4 / / / / / / /

References

https://github.com/filamentphp/filament/commit/efa041aeeb4b1a99acd48aaa05584993c926d1ed
https://github.com/filamentphp/filament/releases/tag/v4.8.5
https://github.com/filamentphp/filament/releases/tag/v5.3.5
https://github.com/filamentphp/filament/security/advisories/GHSA-vv3x-j2x5-36jc

Tags

[email protected]
CWE-79
2026-03-20
CVE-2026-33080

CVSS Score

7.3 / 10

CVSS Data - 3.1

  • Attack Vector: NETWORK
  • Attack Complexity: LOW
  • Privileges Required: LOW
  • Scope: UNCHANGED
  • Confidentiality Impact: HIGH
  • Integrity Impact: HIGH
  • Availability Impact: NONE

    • CVSS:3.1/AV:N/AC:L/PR:L/UI:R/S:U/C:H/I:H/A:N

    View Vector String

Timeline

Published: March 20, 2026, 9:16 a.m.
Last Modified: March 20, 2026, 1:37 p.m.

Status : Undergoing Analysis

CVE has been recently published to the CVE List and has been received by the NVD.

More info

Source

[email protected]

*Disclaimer: Some vulnerabilities do not have an associated CPE. To enhance the data, we use AI to infer CPEs based on CVE details. This is an automated process and might not always be accurate.