Platform
laravel
Component
filamentphp/filament
Fixed in
4.0.1
5.0.1
CVE-2026-33080 describes a cross-site scripting (XSS) vulnerability discovered in Filament, a full-stack component suite for Laravel development. This vulnerability arises from insufficient escaping of HTML within the Table summarizers (Range and Values) when rendering raw database values. Exploitation can lead to the execution of malicious JavaScript in the browsers of users viewing tables utilizing these vulnerable summarizers, impacting Laravel applications using Filament.
An attacker can leverage this XSS vulnerability to inject arbitrary JavaScript code into the Filament Table component. This code could be used to steal user session cookies, redirect users to malicious websites, deface the application, or perform other actions on behalf of the user. The stored nature of the XSS means the malicious script persists until the data is updated or the vulnerable component is patched. Successful exploitation requires the attacker to control the data displayed in a column utilizing the vulnerable Range or Values summarizer, allowing them to inject the malicious HTML payload. The blast radius extends to all users who view the affected table, potentially compromising sensitive data and application functionality.
This vulnerability was publicly disclosed on 2026-03-20. No public proof-of-concept (POC) code has been released at the time of writing, but the ease of exploitation makes it a potential target. The vulnerability is not currently listed on CISA KEV. Given the widespread use of Laravel and Filament, and the relatively straightforward nature of XSS exploitation, active exploitation is possible.
Exploit Status
EPSS
0.02% (4% percentile)
CISA SSVC
CVSS Vector
The primary mitigation for CVE-2026-33080 is to upgrade to Filament version 4.8.5 or 5.3.5, which contain the necessary fixes. If immediate upgrading is not feasible, consider implementing input validation on the database columns used in the Range and Values summarizers to sanitize potentially malicious HTML. As a temporary workaround, consider disabling the Range and Values summarizers until a proper upgrade can be performed. Web application firewalls (WAFs) configured to detect and block XSS payloads can also provide a layer of defense, but should not be relied upon as the sole mitigation.
Actualice Filament a la versión 4.8.5 o superior si está utilizando la serie 4.x, o a la versión 5.3.5 o superior si está utilizando la serie 5.x. Esto corrige la vulnerabilidad XSS almacenada al escapar correctamente los valores de la base de datos renderizados por los summarizers Range y Values de las tablas de Filament. Asegúrese de validar los datos de entrada para evitar la inyección de código malicioso.
Vulnerability analysis and critical alerts directly to your inbox.
CVE-2026-33080 is a cross-site scripting (XSS) vulnerability affecting Filament versions 4.0.0–>= 5.0.0, < 5.3.5. It allows attackers to inject malicious scripts through unescaped HTML in Table summarizers.
If you are using Filament versions 4.0.0 through 5.3.4 and display user-controlled data in Filament Table components using the Range or Values summarizers, you are potentially affected.
Upgrade to Filament version 4.8.5 or 5.3.5. As a temporary workaround, validate input or disable the vulnerable summarizers.
While no public exploits are currently known, the vulnerability's ease of exploitation makes active exploitation possible.
Refer to the official Filament security advisory for details: [https://filamentphp.com/docs/security]
Upload your dependency file and we'll tell you instantly if this and other CVEs hit you.
Upload your composer.lock file and we'll tell you instantly if you're affected.