Plattform
laravel
Komponente
filamentphp/filament
Behoben in
4.0.1
5.0.1
CVE-2026-33080 describes a cross-site scripting (XSS) vulnerability discovered in Filament, a full-stack component suite for Laravel development. This vulnerability arises from insufficient escaping of HTML within the Table summarizers (Range and Values) when rendering raw database values. Exploitation can lead to the execution of malicious JavaScript in the browsers of users viewing tables utilizing these vulnerable summarizers, impacting Laravel applications using Filament.
An attacker can leverage this XSS vulnerability to inject arbitrary JavaScript code into the Filament Table component. This code could be used to steal user session cookies, redirect users to malicious websites, deface the application, or perform other actions on behalf of the user. The stored nature of the XSS means the malicious script persists until the data is updated or the vulnerable component is patched. Successful exploitation requires the attacker to control the data displayed in a column utilizing the vulnerable Range or Values summarizer, allowing them to inject the malicious HTML payload. The blast radius extends to all users who view the affected table, potentially compromising sensitive data and application functionality.
This vulnerability was publicly disclosed on 2026-03-20. No public proof-of-concept (POC) code has been released at the time of writing, but the ease of exploitation makes it a potential target. The vulnerability is not currently listed on CISA KEV. Given the widespread use of Laravel and Filament, and the relatively straightforward nature of XSS exploitation, active exploitation is possible.
Laravel applications utilizing Filament versions 4.0.0 through 5.3.4 are at risk. Specifically, applications that display user-controlled data in Filament Table components using the Range or Values summarizers are particularly vulnerable. Shared hosting environments where multiple Laravel applications share the same server resources could also be impacted if one application is vulnerable and can inject malicious code that affects other applications.
• laravel / wordpress: Examine Filament Table components for suspicious HTML or JavaScript code. Review application logs for unusual activity related to table rendering. • generic web: Use curl/wget to inspect the rendered HTML of Filament tables, looking for injected script tags or event handlers.
curl 'https://your-laravel-app.com/filament/table' | grep -i '<script>' disclosure
Exploit-Status
EPSS
0.02% (4% Perzentil)
CISA SSVC
CVSS-Vektor
The primary mitigation for CVE-2026-33080 is to upgrade to Filament version 4.8.5 or 5.3.5, which contain the necessary fixes. If immediate upgrading is not feasible, consider implementing input validation on the database columns used in the Range and Values summarizers to sanitize potentially malicious HTML. As a temporary workaround, consider disabling the Range and Values summarizers until a proper upgrade can be performed. Web application firewalls (WAFs) configured to detect and block XSS payloads can also provide a layer of defense, but should not be relied upon as the sole mitigation.
Actualice Filament a la versión 4.8.5 o superior si está utilizando la serie 4.x, o a la versión 5.3.5 o superior si está utilizando la serie 5.x. Esto corrige la vulnerabilidad XSS almacenada al escapar correctamente los valores de la base de datos renderizados por los summarizers Range y Values de las tablas de Filament. Asegúrese de validar los datos de entrada para evitar la inyección de código malicioso.
Schwachstellenanalysen und kritische Warnungen direkt in deinen Posteingang.
CVE-2026-33080 is a cross-site scripting (XSS) vulnerability affecting Filament versions 4.0.0–>= 5.0.0, < 5.3.5. It allows attackers to inject malicious scripts through unescaped HTML in Table summarizers.
If you are using Filament versions 4.0.0 through 5.3.4 and display user-controlled data in Filament Table components using the Range or Values summarizers, you are potentially affected.
Upgrade to Filament version 4.8.5 or 5.3.5. As a temporary workaround, validate input or disable the vulnerable summarizers.
While no public exploits are currently known, the vulnerability's ease of exploitation makes active exploitation possible.
Refer to the official Filament security advisory for details: [https://filamentphp.com/docs/security]
Lade deine Abhängigkeitsdatei hoch und erfahre sofort, ob dich diese und andere CVEs treffen.
Lade deine composer.lock-Datei hoch und wir sagen dir sofort, ob du betroffen bist.