{"uuid": "6fa5823d-5693-4f75-8050-12e1be6ebf08", "vulnerability_lookup_origin": "1a89b78e-f703-45f3-bb86-59eb712668bd", "author": "9f56dd64-161d-43a6-b9c3-555944290a09", "vulnerability": "CVE-2026-48500", "type": "seen", "source": "https://gist.github.com/alon710/f3efb3a6eb14f85378da7277ba2da374", "content": "# CVE-2026-48500: CVE-2026-48500: Unauthenticated File Upload and Resource Exhaustion in Filament Admins\n\n> **CVSS Score:** 6.5\n> **Published:** 2026-06-23\n> **Full Report:** https://cvereports.com/reports/CVE-2026-48500\n\n## Summary\nCVE-2026-48500 is an authorization bypass vulnerability within Filament, a full-stack Laravel administration panel suite. The flaw arises from the unauthenticated exposure of Livewire's file upload RPC endpoints on guest-facing pages, allowing remote actors to upload arbitrary files to temporary storage, potentially leading to storage exhaustion and service disruption.\n\n## TL;DR\nUnauthenticated users can exploit exposed Livewire file-upload endpoints on public pages to write arbitrary files to server storage, causing potential denial-of-service conditions.\n\n## Exploit Status: POC\n\n## Technical Details\n\n- **CWE ID**: CWE-862\n- **Attack Vector**: Network (AV:N)\n- **CVSS v3.1 Score**: 6.5\n- **EPSS Score**: 0.00207 (10.69th percentile)\n- **Impact**: Storage depletion, Denial of Service (DoS)\n- **Exploit Status**: PoC / Conceptual\n- **CISA KEV Status**: Not Listed\n\n## Affected Systems\n\n- Filament Admin Panels for Laravel (filament/filament)\n- **filament/filament**: >= 3.0.0, < 3.3.52 (Fixed in: `3.3.52`)\n- **filament/filament**: >= 4.0.0, < 4.11.5 (Fixed in: `4.11.5`)\n- **filament/filament**: >= 5.0.0, < 5.6.5 (Fixed in: `5.6.5`)\n\n## Mitigation\n\n- Upgrade filament/filament dependency to patched versions\n- Implement custom web application firewalls or middleware to block upload RPCs on unauthenticated login routes\n- Ensure all custom public Livewire components enforce strict schema limits on dynamic file handling traits\n\n**Remediation Steps:**\n1. Verify current Filament version via 'composer show filament/filament'\n2. Run 'composer update filament/filament' to pull down the latest patch updates\n3. Apply RestrictsFileUploadsToSchemaComponents or RestrictsFileUploadsToFormComponents to custom public-facing components\n\n## References\n\n- [GitHub Security Advisory GHSA-44wp-g8f4-f4v5](https://github.com/filamentphp/filament/security/advisories/GHSA-44wp-g8f4-f4v5)\n- [CVE-2026-48500 Authority Record](https://www.cve.org/CVERecord?id=CVE-2026-48500)\n\n\n---\n*Generated by [CVEReports](https://cvereports.com/reports/CVE-2026-48500) - Automated Vulnerability Intelligence*", "creation_timestamp": "2026-06-24T04:42:12.000000Z"}