CVE-2026-33080 (GCVE-0-2026-33080)
Vulnerability from cvelistv5 – Published: 2026-03-20 08:58 – Updated: 2026-03-25 13:46
VLAI?
Title
Filament: Unvalidated Range and Values summarizer values can be used for XSS
Summary
Filament is a collection of full-stack components for accelerated Laravel development. Versions 4.0.0 through 4.8.4 and 5.0.0 through 5.3.4 have two Filament Table summarizers (Range, Values) that render raw database values without escaping HTML. If there is a lack of validation for the data in the columns that use these summarizers, an attacker could plant malicious HTML / JavaScript and achieve stored XSS that executes for users who view the table with those summarizers. This issue has been patched in versions 4.8.5 and 5.3.5.
Severity ?
7.3 (High)
CWE
Assigner
References
| URL | Tags | |||||||||||||
|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|
|
||||||||||||||
Impacted products
| Vendor | Product | Version | ||
|---|---|---|---|---|
| filamentphp | filament |
Affected:
>= 4.0.0, < 4.8.5
Affected: >= 5.0.0, < 5.3.5 |
{
"containers": {
"adp": [
{
"metrics": [
{
"other": {
"content": {
"id": "CVE-2026-33080",
"options": [
{
"Exploitation": "none"
},
{
"Automatable": "no"
},
{
"Technical Impact": "partial"
}
],
"role": "CISA Coordinator",
"timestamp": "2026-03-25T13:44:22.834939Z",
"version": "2.0.3"
},
"type": "ssvc"
}
}
],
"providerMetadata": {
"dateUpdated": "2026-03-25T13:46:27.561Z",
"orgId": "134c704f-9b21-4f2e-91b3-4a467353bcc0",
"shortName": "CISA-ADP"
},
"title": "CISA ADP Vulnrichment"
}
],
"cna": {
"affected": [
{
"product": "filament",
"vendor": "filamentphp",
"versions": [
{
"status": "affected",
"version": "\u003e= 4.0.0, \u003c 4.8.5"
},
{
"status": "affected",
"version": "\u003e= 5.0.0, \u003c 5.3.5"
}
]
}
],
"descriptions": [
{
"lang": "en",
"value": "Filament is a collection of full-stack components for accelerated Laravel development. Versions 4.0.0 through 4.8.4 and 5.0.0 through 5.3.4 have two Filament Table summarizers (Range, Values) that render raw database values without escaping HTML. If there is a lack of validation for the data in the columns that use these summarizers, an attacker could plant malicious HTML / JavaScript and achieve stored XSS that executes for users who view the table with those summarizers. This issue has been patched in versions 4.8.5 and 5.3.5."
}
],
"metrics": [
{
"cvssV3_1": {
"attackComplexity": "LOW",
"attackVector": "NETWORK",
"availabilityImpact": "NONE",
"baseScore": 7.3,
"baseSeverity": "HIGH",
"confidentialityImpact": "HIGH",
"integrityImpact": "HIGH",
"privilegesRequired": "LOW",
"scope": "UNCHANGED",
"userInteraction": "REQUIRED",
"vectorString": "CVSS:3.1/AV:N/AC:L/PR:L/UI:R/S:U/C:H/I:H/A:N",
"version": "3.1"
}
}
],
"problemTypes": [
{
"descriptions": [
{
"cweId": "CWE-79",
"description": "CWE-79: Improper Neutralization of Input During Web Page Generation (\u0027Cross-site Scripting\u0027)",
"lang": "en",
"type": "CWE"
}
]
},
{
"descriptions": [
{
"cweId": "CWE-80",
"description": "CWE-80: Improper Neutralization of Script-Related HTML Tags in a Web Page (Basic XSS)",
"lang": "en",
"type": "CWE"
}
]
}
],
"providerMetadata": {
"dateUpdated": "2026-03-20T08:58:45.360Z",
"orgId": "a0819718-46f1-4df5-94e2-005712e83aaa",
"shortName": "GitHub_M"
},
"references": [
{
"name": "https://github.com/filamentphp/filament/security/advisories/GHSA-vv3x-j2x5-36jc",
"tags": [
"x_refsource_CONFIRM"
],
"url": "https://github.com/filamentphp/filament/security/advisories/GHSA-vv3x-j2x5-36jc"
},
{
"name": "https://github.com/filamentphp/filament/commit/efa041aeeb4b1a99acd48aaa05584993c926d1ed",
"tags": [
"x_refsource_MISC"
],
"url": "https://github.com/filamentphp/filament/commit/efa041aeeb4b1a99acd48aaa05584993c926d1ed"
},
{
"name": "https://github.com/filamentphp/filament/releases/tag/v4.8.5",
"tags": [
"x_refsource_MISC"
],
"url": "https://github.com/filamentphp/filament/releases/tag/v4.8.5"
},
{
"name": "https://github.com/filamentphp/filament/releases/tag/v5.3.5",
"tags": [
"x_refsource_MISC"
],
"url": "https://github.com/filamentphp/filament/releases/tag/v5.3.5"
}
],
"source": {
"advisory": "GHSA-vv3x-j2x5-36jc",
"discovery": "UNKNOWN"
},
"title": "Filament: Unvalidated Range and Values summarizer values can be used for XSS"
}
},
"cveMetadata": {
"assignerOrgId": "a0819718-46f1-4df5-94e2-005712e83aaa",
"assignerShortName": "GitHub_M",
"cveId": "CVE-2026-33080",
"datePublished": "2026-03-20T08:58:45.360Z",
"dateReserved": "2026-03-17T19:27:06.345Z",
"dateUpdated": "2026-03-25T13:46:27.561Z",
"state": "PUBLISHED"
},
"dataType": "CVE_RECORD",
"dataVersion": "5.2",
"vulnerability-lookup:meta": {
"epss": {
"cve": "CVE-2026-33080",
"date": "2026-04-15",
"epss": "0.00017",
"percentile": "0.03841"
},
"nvd": "{\"cve\":{\"id\":\"CVE-2026-33080\",\"sourceIdentifier\":\"security-advisories@github.com\",\"published\":\"2026-03-20T09:16:16.050\",\"lastModified\":\"2026-03-23T15:43:48.920\",\"vulnStatus\":\"Analyzed\",\"cveTags\":[],\"descriptions\":[{\"lang\":\"en\",\"value\":\"Filament is a collection of full-stack components for accelerated Laravel development. Versions 4.0.0 through 4.8.4 and 5.0.0 through 5.3.4 have two Filament Table summarizers (Range, Values) that render raw database values without escaping HTML. If there is a lack of validation for the data in the columns that use these summarizers, an attacker could plant malicious HTML / JavaScript and achieve stored XSS that executes for users who view the table with those summarizers. This issue has been patched in versions 4.8.5 and 5.3.5.\"},{\"lang\":\"es\",\"value\":\"Filament es una colecci\u00f3n de componentes full-stack para el desarrollo acelerado de Laravel. Las versiones 4.0.0 a 4.8.4 y 5.0.0 a 5.3.4 tienen dos resumidores de tabla de Filament (Rango, Valores) que renderizan valores brutos de la base de datos sin escapar HTML. Si hay una falta de validaci\u00f3n para los datos en las columnas que usan estos resumidores, un atacante podr\u00eda insertar HTML / JavaScript malicioso y lograr XSS almacenado que se ejecuta para los usuarios que ven la tabla con esos resumidores. Este problema ha sido parcheado en las versiones 4.8.5 y 5.3.5.\"}],\"metrics\":{\"cvssMetricV31\":[{\"source\":\"security-advisories@github.com\",\"type\":\"Secondary\",\"cvssData\":{\"version\":\"3.1\",\"vectorString\":\"CVSS:3.1/AV:N/AC:L/PR:L/UI:R/S:U/C:H/I:H/A:N\",\"baseScore\":7.3,\"baseSeverity\":\"HIGH\",\"attackVector\":\"NETWORK\",\"attackComplexity\":\"LOW\",\"privilegesRequired\":\"LOW\",\"userInteraction\":\"REQUIRED\",\"scope\":\"UNCHANGED\",\"confidentialityImpact\":\"HIGH\",\"integrityImpact\":\"HIGH\",\"availabilityImpact\":\"NONE\"},\"exploitabilityScore\":2.1,\"impactScore\":5.2},{\"source\":\"nvd@nist.gov\",\"type\":\"Primary\",\"cvssData\":{\"version\":\"3.1\",\"vectorString\":\"CVSS:3.1/AV:N/AC:L/PR:L/UI:R/S:C/C:L/I:L/A:N\",\"baseScore\":5.4,\"baseSeverity\":\"MEDIUM\",\"attackVector\":\"NETWORK\",\"attackComplexity\":\"LOW\",\"privilegesRequired\":\"LOW\",\"userInteraction\":\"REQUIRED\",\"scope\":\"CHANGED\",\"confidentialityImpact\":\"LOW\",\"integrityImpact\":\"LOW\",\"availabilityImpact\":\"NONE\"},\"exploitabilityScore\":2.3,\"impactScore\":2.7}]},\"weaknesses\":[{\"source\":\"security-advisories@github.com\",\"type\":\"Primary\",\"description\":[{\"lang\":\"en\",\"value\":\"CWE-79\"},{\"lang\":\"en\",\"value\":\"CWE-80\"}]}],\"configurations\":[{\"nodes\":[{\"operator\":\"OR\",\"negate\":false,\"cpeMatch\":[{\"vulnerable\":true,\"criteria\":\"cpe:2.3:a:filamentphp:filament:*:*:*:*:*:*:*:*\",\"versionStartIncluding\":\"4.0.0\",\"versionEndExcluding\":\"4.8.5\",\"matchCriteriaId\":\"0F3FBF1F-313F-4C97-99DE-B68F6FC8B793\"},{\"vulnerable\":true,\"criteria\":\"cpe:2.3:a:filamentphp:filament:*:*:*:*:*:*:*:*\",\"versionStartIncluding\":\"5.0.0\",\"versionEndExcluding\":\"5.3.5\",\"matchCriteriaId\":\"83E21510-3935-49E1-82E7-DFD7443BB37B\"}]}]}],\"references\":[{\"url\":\"https://github.com/filamentphp/filament/commit/efa041aeeb4b1a99acd48aaa05584993c926d1ed\",\"source\":\"security-advisories@github.com\",\"tags\":[\"Patch\"]},{\"url\":\"https://github.com/filamentphp/filament/releases/tag/v4.8.5\",\"source\":\"security-advisories@github.com\",\"tags\":[\"Product\",\"Release Notes\"]},{\"url\":\"https://github.com/filamentphp/filament/releases/tag/v5.3.5\",\"source\":\"security-advisories@github.com\",\"tags\":[\"Product\",\"Release Notes\"]},{\"url\":\"https://github.com/filamentphp/filament/security/advisories/GHSA-vv3x-j2x5-36jc\",\"source\":\"security-advisories@github.com\",\"tags\":[\"Vendor Advisory\"]}]}}",
"vulnrichment": {
"containers": "{\"adp\": [{\"title\": \"CISA ADP Vulnrichment\", \"metrics\": [{\"other\": {\"type\": \"ssvc\", \"content\": {\"id\": \"CVE-2026-33080\", \"role\": \"CISA Coordinator\", \"options\": [{\"Exploitation\": \"none\"}, {\"Automatable\": \"no\"}, {\"Technical Impact\": \"partial\"}], \"version\": \"2.0.3\", \"timestamp\": \"2026-03-25T13:44:22.834939Z\"}}}], \"providerMetadata\": {\"orgId\": \"134c704f-9b21-4f2e-91b3-4a467353bcc0\", \"shortName\": \"CISA-ADP\", \"dateUpdated\": \"2026-03-25T13:46:20.625Z\"}}], \"cna\": {\"title\": \"Filament: Unvalidated Range and Values summarizer values can be used for XSS\", \"source\": {\"advisory\": \"GHSA-vv3x-j2x5-36jc\", \"discovery\": \"UNKNOWN\"}, \"metrics\": [{\"cvssV3_1\": {\"scope\": \"UNCHANGED\", \"version\": \"3.1\", \"baseScore\": 7.3, \"attackVector\": \"NETWORK\", \"baseSeverity\": \"HIGH\", \"vectorString\": \"CVSS:3.1/AV:N/AC:L/PR:L/UI:R/S:U/C:H/I:H/A:N\", \"integrityImpact\": \"HIGH\", \"userInteraction\": \"REQUIRED\", \"attackComplexity\": \"LOW\", \"availabilityImpact\": \"NONE\", \"privilegesRequired\": \"LOW\", \"confidentialityImpact\": \"HIGH\"}}], \"affected\": [{\"vendor\": \"filamentphp\", \"product\": \"filament\", \"versions\": [{\"status\": \"affected\", \"version\": \"\u003e= 4.0.0, \u003c 4.8.5\"}, {\"status\": \"affected\", \"version\": \"\u003e= 5.0.0, \u003c 5.3.5\"}]}], \"references\": [{\"url\": \"https://github.com/filamentphp/filament/security/advisories/GHSA-vv3x-j2x5-36jc\", \"name\": \"https://github.com/filamentphp/filament/security/advisories/GHSA-vv3x-j2x5-36jc\", \"tags\": [\"x_refsource_CONFIRM\"]}, {\"url\": \"https://github.com/filamentphp/filament/commit/efa041aeeb4b1a99acd48aaa05584993c926d1ed\", \"name\": \"https://github.com/filamentphp/filament/commit/efa041aeeb4b1a99acd48aaa05584993c926d1ed\", \"tags\": [\"x_refsource_MISC\"]}, {\"url\": \"https://github.com/filamentphp/filament/releases/tag/v4.8.5\", \"name\": \"https://github.com/filamentphp/filament/releases/tag/v4.8.5\", \"tags\": [\"x_refsource_MISC\"]}, {\"url\": \"https://github.com/filamentphp/filament/releases/tag/v5.3.5\", \"name\": \"https://github.com/filamentphp/filament/releases/tag/v5.3.5\", \"tags\": [\"x_refsource_MISC\"]}], \"descriptions\": [{\"lang\": \"en\", \"value\": \"Filament is a collection of full-stack components for accelerated Laravel development. Versions 4.0.0 through 4.8.4 and 5.0.0 through 5.3.4 have two Filament Table summarizers (Range, Values) that render raw database values without escaping HTML. If there is a lack of validation for the data in the columns that use these summarizers, an attacker could plant malicious HTML / JavaScript and achieve stored XSS that executes for users who view the table with those summarizers. This issue has been patched in versions 4.8.5 and 5.3.5.\"}], \"problemTypes\": [{\"descriptions\": [{\"lang\": \"en\", \"type\": \"CWE\", \"cweId\": \"CWE-79\", \"description\": \"CWE-79: Improper Neutralization of Input During Web Page Generation (\u0027Cross-site Scripting\u0027)\"}]}, {\"descriptions\": [{\"lang\": \"en\", \"type\": \"CWE\", \"cweId\": \"CWE-80\", \"description\": \"CWE-80: Improper Neutralization of Script-Related HTML Tags in a Web Page (Basic XSS)\"}]}], \"providerMetadata\": {\"orgId\": \"a0819718-46f1-4df5-94e2-005712e83aaa\", \"shortName\": \"GitHub_M\", \"dateUpdated\": \"2026-03-20T08:58:45.360Z\"}}}",
"cveMetadata": "{\"cveId\": \"CVE-2026-33080\", \"state\": \"PUBLISHED\", \"dateUpdated\": \"2026-03-25T13:46:27.561Z\", \"dateReserved\": \"2026-03-17T19:27:06.345Z\", \"assignerOrgId\": \"a0819718-46f1-4df5-94e2-005712e83aaa\", \"datePublished\": \"2026-03-20T08:58:45.360Z\", \"assignerShortName\": \"GitHub_M\"}",
"dataType": "CVE_RECORD",
"dataVersion": "5.2"
}
}
}
Loading…
Loading…
Sightings
| Author | Source | Type | Date |
|---|
Nomenclature
- Seen: The vulnerability was mentioned, discussed, or observed by the user.
- Confirmed: The vulnerability has been validated from an analyst's perspective.
- Published Proof of Concept: A public proof of concept is available for this vulnerability.
- Exploited: The vulnerability was observed as exploited by the user who reported the sighting.
- Patched: The vulnerability was observed as successfully patched by the user who reported the sighting.
- Not exploited: The vulnerability was not observed as exploited by the user who reported the sighting.
- Not confirmed: The user expressed doubt about the validity of the vulnerability.
- Not patched: The vulnerability was not observed as successfully patched by the user who reported the sighting.
Loading…
Loading…