{"dataType": "CVE_RECORD", "dataVersion": "5.2", "cveMetadata": {"cveId": "CVE-2026-33080", "assignerOrgId": "a0819718-46f1-4df5-94e2-005712e83aaa", "state": "PUBLISHED", "assignerShortName": "GitHub_M", "dateReserved": "2026-03-17T19:27:06.345Z", "datePublished": "2026-03-20T08:58:45.360Z", "dateUpdated": "2026-03-25T13:46:27.561Z"}, "containers": {"cna": {"title": "Filament: Unvalidated Range and Values summarizer values can be used for XSS", "problemTypes": [{"descriptions": [{"cweId": "CWE-79", "lang": "en", "description": "CWE-79: Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting')", "type": "CWE"}]}, {"descriptions": [{"cweId": "CWE-80", "lang": "en", "description": "CWE-80: Improper Neutralization of Script-Related HTML Tags in a Web Page (Basic XSS)", "type": "CWE"}]}], "metrics": [{"cvssV3_1": {"attackComplexity": "LOW", "attackVector": "NETWORK", "availabilityImpact": "NONE", "baseScore": 7.3, "baseSeverity": "HIGH", "confidentialityImpact": "HIGH", "integrityImpact": "HIGH", "privilegesRequired": "LOW", "scope": "UNCHANGED", "userInteraction": "REQUIRED", "vectorString": "CVSS:3.1/AV:N/AC:L/PR:L/UI:R/S:U/C:H/I:H/A:N", "version": "3.1"}}], "references": [{"name": "https://github.com/filamentphp/filament/security/advisories/GHSA-vv3x-j2x5-36jc", "tags": ["x_refsource_CONFIRM"], "url": "https://github.com/filamentphp/filament/security/advisories/GHSA-vv3x-j2x5-36jc"}, {"name": "https://github.com/filamentphp/filament/commit/efa041aeeb4b1a99acd48aaa05584993c926d1ed", "tags": ["x_refsource_MISC"], "url": "https://github.com/filamentphp/filament/commit/efa041aeeb4b1a99acd48aaa05584993c926d1ed"}, {"name": "https://github.com/filamentphp/filament/releases/tag/v4.8.5", "tags": ["x_refsource_MISC"], "url": "https://github.com/filamentphp/filament/releases/tag/v4.8.5"}, {"name": "https://github.com/filamentphp/filament/releases/tag/v5.3.5", "tags": ["x_refsource_MISC"], "url": "https://github.com/filamentphp/filament/releases/tag/v5.3.5"}], "affected": [{"vendor": "filamentphp", "product": "filament", "versions": [{"version": ">= 4.0.0, < 4.8.5", "status": "affected"}, {"version": ">= 5.0.0, < 5.3.5", "status": "affected"}]}], "providerMetadata": {"orgId": "a0819718-46f1-4df5-94e2-005712e83aaa", "shortName": "GitHub_M", "dateUpdated": "2026-03-20T08:58:45.360Z"}, "descriptions": [{"lang": "en", "value": "Filament is a collection of full-stack components for accelerated Laravel development. Versions 4.0.0 through 4.8.4 and 5.0.0 through 5.3.4 have two Filament Table summarizers (Range, Values) that render raw database values without escaping HTML. If there is a lack of validation for the data in the columns that use these summarizers, an attacker could plant malicious HTML / JavaScript and achieve stored XSS that executes for users who view the table with those summarizers. This issue has been patched in versions 4.8.5 and 5.3.5."}], "source": {"advisory": "GHSA-vv3x-j2x5-36jc", "discovery": "UNKNOWN"}}, "adp": [{"metrics": [{"other": {"type": "ssvc", "content": {"timestamp": "2026-03-25T13:44:22.834939Z", "id": "CVE-2026-33080", "options": [{"Exploitation": "none"}, {"Automatable": "no"}, {"Technical Impact": "partial"}], "role": "CISA Coordinator", "version": "2.0.3"}}}], "title": "CISA ADP Vulnrichment", "providerMetadata": {"orgId": "134c704f-9b21-4f2e-91b3-4a467353bcc0", "shortName": "CISA-ADP", "dateUpdated": "2026-03-25T13:46:27.561Z"}}]}}

{"dataType": "CVE_RECORD", "containers": {"adp": [{"title": "CISA ADP Vulnrichment", "metrics": [{"other": {"type": "ssvc", "content": {"id": "CVE-2026-33080", "role": "CISA Coordinator", "options": [{"Exploitation": "none"}, {"Automatable": "no"}, {"Technical Impact": "partial"}], "version": "2.0.3", "timestamp": "2026-03-25T13:44:22.834939Z"}}}], "providerMetadata": {"orgId": "134c704f-9b21-4f2e-91b3-4a467353bcc0", "shortName": "CISA-ADP", "dateUpdated": "2026-03-25T13:46:20.625Z"}}], "cna": {"title": "Filament: Unvalidated Range and Values summarizer values can be used for XSS", "source": {"advisory": "GHSA-vv3x-j2x5-36jc", "discovery": "UNKNOWN"}, "metrics": [{"cvssV3_1": {"scope": "UNCHANGED", "version": "3.1", "baseScore": 7.3, "attackVector": "NETWORK", "baseSeverity": "HIGH", "vectorString": "CVSS:3.1/AV:N/AC:L/PR:L/UI:R/S:U/C:H/I:H/A:N", "integrityImpact": "HIGH", "userInteraction": "REQUIRED", "attackComplexity": "LOW", "availabilityImpact": "NONE", "privilegesRequired": "LOW", "confidentialityImpact": "HIGH"}}], "affected": [{"vendor": "filamentphp", "product": "filament", "versions": [{"status": "affected", "version": ">= 4.0.0, < 4.8.5"}, {"status": "affected", "version": ">= 5.0.0, < 5.3.5"}]}], "references": [{"url": "https://github.com/filamentphp/filament/security/advisories/GHSA-vv3x-j2x5-36jc", "name": "https://github.com/filamentphp/filament/security/advisories/GHSA-vv3x-j2x5-36jc", "tags": ["x_refsource_CONFIRM"]}, {"url": "https://github.com/filamentphp/filament/commit/efa041aeeb4b1a99acd48aaa05584993c926d1ed", "name": "https://github.com/filamentphp/filament/commit/efa041aeeb4b1a99acd48aaa05584993c926d1ed", "tags": ["x_refsource_MISC"]}, {"url": "https://github.com/filamentphp/filament/releases/tag/v4.8.5", "name": "https://github.com/filamentphp/filament/releases/tag/v4.8.5", "tags": ["x_refsource_MISC"]}, {"url": "https://github.com/filamentphp/filament/releases/tag/v5.3.5", "name": "https://github.com/filamentphp/filament/releases/tag/v5.3.5", "tags": ["x_refsource_MISC"]}], "descriptions": [{"lang": "en", "value": "Filament is a collection of full-stack components for accelerated Laravel development. Versions 4.0.0 through 4.8.4 and 5.0.0 through 5.3.4 have two Filament Table summarizers (Range, Values) that render raw database values without escaping HTML. If there is a lack of validation for the data in the columns that use these summarizers, an attacker could plant malicious HTML / JavaScript and achieve stored XSS that executes for users who view the table with those summarizers. This issue has been patched in versions 4.8.5 and 5.3.5."}], "problemTypes": [{"descriptions": [{"lang": "en", "type": "CWE", "cweId": "CWE-79", "description": "CWE-79: Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting')"}]}, {"descriptions": [{"lang": "en", "type": "CWE", "cweId": "CWE-80", "description": "CWE-80: Improper Neutralization of Script-Related HTML Tags in a Web Page (Basic XSS)"}]}], "providerMetadata": {"orgId": "a0819718-46f1-4df5-94e2-005712e83aaa", "shortName": "GitHub_M", "dateUpdated": "2026-03-20T08:58:45.360Z"}}}, "cveMetadata": {"cveId": "CVE-2026-33080", "state": "PUBLISHED", "dateUpdated": "2026-03-25T13:46:27.561Z", "dateReserved": "2026-03-17T19:27:06.345Z", "assignerOrgId": "a0819718-46f1-4df5-94e2-005712e83aaa", "datePublished": "2026-03-20T08:58:45.360Z", "assignerShortName": "GitHub_M"}, "dataVersion": "5.2"}

{"configurations": [{"nodes": [{"cpeMatch": [{"criteria": "cpe:2.3:a:filamentphp:filament:*:*:*:*:*:*:*:*", "matchCriteriaId": "0F3FBF1F-313F-4C97-99DE-B68F6FC8B793", "versionEndExcluding": "4.8.5", "versionStartIncluding": "4.0.0", "vulnerable": true}, {"criteria": "cpe:2.3:a:filamentphp:filament:*:*:*:*:*:*:*:*", "matchCriteriaId": "83E21510-3935-49E1-82E7-DFD7443BB37B", "versionEndExcluding": "5.3.5", "versionStartIncluding": "5.0.0", "vulnerable": true}], "negate": false, "operator": "OR"}]}], "cveTags": [], "descriptions": [{"lang": "en", "value": "Filament is a collection of full-stack components for accelerated Laravel development. Versions 4.0.0 through 4.8.4 and 5.0.0 through 5.3.4 have two Filament Table summarizers (Range, Values) that render raw database values without escaping HTML. If there is a lack of validation for the data in the columns that use these summarizers, an attacker could plant malicious HTML / JavaScript and achieve stored XSS that executes for users who view the table with those summarizers. This issue has been patched in versions 4.8.5 and 5.3.5."}, {"lang": "es", "value": "Filament es una colecci\u00f3n de componentes full-stack para el desarrollo acelerado de Laravel. Las versiones 4.0.0 a 4.8.4 y 5.0.0 a 5.3.4 tienen dos resumidores de tabla de Filament (Rango, Valores) que renderizan valores brutos de la base de datos sin escapar HTML. Si hay una falta de validaci\u00f3n para los datos en las columnas que usan estos resumidores, un atacante podr\u00eda insertar HTML / JavaScript malicioso y lograr XSS almacenado que se ejecuta para los usuarios que ven la tabla con esos resumidores. Este problema ha sido parcheado en las versiones 4.8.5 y 5.3.5."}], "id": "CVE-2026-33080", "lastModified": "2026-03-23T15:43:48.920", "metrics": {"cvssMetricV31": [{"cvssData": {"attackComplexity": "LOW", "attackVector": "NETWORK", "availabilityImpact": "NONE", "baseScore": 7.3, "baseSeverity": "HIGH", "confidentialityImpact": "HIGH", "integrityImpact": "HIGH", "privilegesRequired": "LOW", "scope": "UNCHANGED", "userInteraction": "REQUIRED", "vectorString": "CVSS:3.1/AV:N/AC:L/PR:L/UI:R/S:U/C:H/I:H/A:N", "version": "3.1"}, "exploitabilityScore": 2.1, "impactScore": 5.2, "source": "security-advisories@github.com", "type": "Secondary"}, {"cvssData": {"attackComplexity": "LOW", "attackVector": "NETWORK", "availabilityImpact": "NONE", "baseScore": 5.4, "baseSeverity": "MEDIUM", "confidentialityImpact": "LOW", "integrityImpact": "LOW", "privilegesRequired": "LOW", "scope": "CHANGED", "userInteraction": "REQUIRED", "vectorString": "CVSS:3.1/AV:N/AC:L/PR:L/UI:R/S:C/C:L/I:L/A:N", "version": "3.1"}, "exploitabilityScore": 2.3, "impactScore": 2.7, "source": "nvd@nist.gov", "type": "Primary"}]}, "published": "2026-03-20T09:16:16.050", "references": [{"source": "security-advisories@github.com", "tags": ["Patch"], "url": "https://github.com/filamentphp/filament/commit/efa041aeeb4b1a99acd48aaa05584993c926d1ed"}, {"source": "security-advisories@github.com", "tags": ["Product", "Release Notes"], "url": "https://github.com/filamentphp/filament/releases/tag/v4.8.5"}, {"source": "security-advisories@github.com", "tags": ["Product", "Release Notes"], "url": "https://github.com/filamentphp/filament/releases/tag/v5.3.5"}, {"source": "security-advisories@github.com", "tags": ["Vendor Advisory"], "url": "https://github.com/filamentphp/filament/security/advisories/GHSA-vv3x-j2x5-36jc"}], "sourceIdentifier": "security-advisories@github.com", "vulnStatus": "Analyzed", "weaknesses": [{"description": [{"lang": "en", "value": "CWE-79"}, {"lang": "en", "value": "CWE-80"}], "source": "security-advisories@github.com", "type": "Primary"}]}

{}

{"affected": [{"configurations": [{"platform": null, "status": "affected", "versions": {"scheme": "semver", "value": "[4.0.0,4.8.5)"}}, {"platform": null, "status": "affected", "versions": {"scheme": "semver", "value": "[5.0.0,5.3.5)"}}], "enrichment": {"confidence": 100.0, "confidence_source": "matching", "scores": [{"score": 100.0, "source": "matching"}]}, "original": {"product": "filament", "source": "cna", "vendor": "filamentphp"}, "product": "filament", "vendor": "filamentphp"}], "analysis": {"en": {"generated_at": "2026-03-23T16:25:20.182303+00:00", "value": {"mitigation_remediation": ["Apply latest Filament release v4.8.5 or later, or v5.3.5 or later, which patches the XSS vulnerability.", "If an immediate update is not possible, restrict or sanitize input that populates table columns using the Range or Values summarizers to avoid storing raw HTML or JavaScript."], "summary": {"action": "Patch Immediately", "impact": "Stored Cross\u2011Site Scripting (XSS)"}, "threat_synthesis": {"affected_systems": "The issue affects the filamentphp:filament collection of Laravel components. Versions 4.0.0 through 4.8.4 and 5.0.0 through 5.3.4 include vulnerable Range and Values summarizers. The components are used to build full\u2011stack admin interfaces in Laravel applications.", "description_and_impact": "This vulnerability allows an attacker to inject malicious HTML or JavaScript into database fields that are rendered by Filament Table summarizers without escaping. The injected payload is stored persistently and executed whenever a user views the table, enabling stored XSS attacks that can compromise user sessions, exfiltrate data, or modify page content. The weakness is a lack of input validation for summarizer values, identified as CWE\u201179 and CWE\u201180.", "risk_and_exploitability": "The CVSS score is 7.3, indicating a high severity. The EPSS score is below 1%, suggesting a low likelihood of exploitation in the wild. The vulnerability is not listed in the KEV catalog, and there is no known public exploit. The attack vector is inferred to be through any user who can view a table using the vulnerable summarizers; an attacker would first need to insert malicious data into a database column tied to those summarizers, typically via an authenticated or open input path. Once the data is stored, any subsequent viewer of the table will receive the malicious payload."}}}}, "created": "2026-03-20T10:36:29.405661+00:00", "updated": "2026-03-25T14:29:45.285208+00:00", "vendors": ["filamentphp", "filamentphp$PRODUCT$filament"]}