CVE-2026-48167
MediumCVSS 6.4Exploitation Probability (EPSS)
Low risk4th percentile — higher than 4% of all known CVEs
Summary
Filament is a collection of components for accelerated Laravel development. From versions 4.0.0 to 4.11.5 and 5.6.5, the ImageColumn and ImageEntry components render raw database values without escaping HTML, potentially leading to XSS attacks.
Risk Assessment
The lack of validation for data passed to these components could allow an attacker to inject malicious HTML or JavaScript, resulting in stored XSS that executes for users viewing the table or schema.
Recommendation
It is recommended to upgrade to versions 4.11.5 or 5.6.5 to mitigate this vulnerability.
Original NVD description (English source)
Filament is a collection of full-stack components for accelerated Laravel development. From 4.0.0 until 4.11.5 and 5.6.5, the ImageColumn and ImageEntry components render raw database values without escaping HTML. Where the data passed to these components isn't validated, an attacker could plant malicious HTML or JavaScript and achieve stored XSS that executes for users who view the table or schema. This vulnerability is fixed in 4.11.5 and 5.6.5.

