CVE-2026-48067
MediumCVSS 6.5Exploitation Probability (EPSS)
Low risk7th percentile — higher than 7% of all known CVEs
Summary
In Filament components for Laravel, the recordSelectOptionsQuery() method did not apply proper validation for Select fields in AttachAction and AssociateAction. This allows users to tamper with the Livewire component's state and submit out-of-scope values.
Risk Assessment
This vulnerability could lead to unauthorized access to data or improper application behavior, jeopardizing system integrity.
Recommendation
It is recommended to upgrade to filament/actions 4.11.4 or 5.6.4 and filament/tables 3.3.51 to mitigate this vulnerability.
Original NVD description (English source)
Filament is a collection of full-stack components for accelerated Laravel development. From filament/actions 4.0.0 until 4.11.4 and 5.6.4 and from filament/tables 3.0.0 until 3.3.51, the recordSelectOptionsQuery() method may be used to scope the options available in the Select field for AttachAction and AssociateAction. However, the built-in validation rule for these fields did not apply the same scope. As a result, a user who can trigger these actions could tamper with the Livewire component's state and submit an out-of-scope value. This vulnerability is fixed in filament/actions 4.11.4 and 5.6.4 and filament/tables 3.3.51.

