{"dataType": "CVE_RECORD", "dataVersion": "5.2", "cveMetadata": {"cveId": "CVE-2026-33080", "assignerOrgId": "a0819718-46f1-4df5-94e2-005712e83aaa", "state": "PUBLISHED", "assignerShortName": "GitHub_M", "dateReserved": "2026-03-17T19:27:06.345Z", "datePublished": "2026-03-20T08:58:45.360Z", "dateUpdated": "2026-03-20T08:58:45.360Z"}, "containers": {"cna": {"title": "Filament: Unvalidated Range and Values summarizer values can be used for XSS", "problemTypes": [{"descriptions": [{"cweId": "CWE-79", "lang": "en", "description": "CWE-79: Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting')", "type": "CWE"}]}, {"descriptions": [{"cweId": "CWE-80", "lang": "en", "description": "CWE-80: Improper Neutralization of Script-Related HTML Tags in a Web Page (Basic XSS)", "type": "CWE"}]}], "metrics": [{"cvssV3_1": {"attackComplexity": "LOW", "attackVector": "NETWORK", "availabilityImpact": "NONE", "baseScore": 7.3, "baseSeverity": "HIGH", "confidentialityImpact": "HIGH", "integrityImpact": "HIGH", "privilegesRequired": "LOW", "scope": "UNCHANGED", "userInteraction": "REQUIRED", "vectorString": "CVSS:3.1/AV:N/AC:L/PR:L/UI:R/S:U/C:H/I:H/A:N", "version": "3.1"}}], "references": [{"name": "https://github.com/filamentphp/filament/security/advisories/GHSA-vv3x-j2x5-36jc", "tags": ["x_refsource_CONFIRM"], "url": "https://github.com/filamentphp/filament/security/advisories/GHSA-vv3x-j2x5-36jc"}, {"name": "https://github.com/filamentphp/filament/commit/efa041aeeb4b1a99acd48aaa05584993c926d1ed", "tags": ["x_refsource_MISC"], "url": "https://github.com/filamentphp/filament/commit/efa041aeeb4b1a99acd48aaa05584993c926d1ed"}, {"name": "https://github.com/filamentphp/filament/releases/tag/v4.8.5", "tags": ["x_refsource_MISC"], "url": "https://github.com/filamentphp/filament/releases/tag/v4.8.5"}, {"name": "https://github.com/filamentphp/filament/releases/tag/v5.3.5", "tags": ["x_refsource_MISC"], "url": "https://github.com/filamentphp/filament/releases/tag/v5.3.5"}], "affected": [{"vendor": "filamentphp", "product": "filament", "versions": [{"version": ">= 4.0.0, < 4.8.5", "status": "affected"}, {"version": ">= 5.0.0, < 5.3.5", "status": "affected"}]}], "providerMetadata": {"orgId": "a0819718-46f1-4df5-94e2-005712e83aaa", "shortName": "GitHub_M", "dateUpdated": "2026-03-20T08:58:45.360Z"}, "descriptions": [{"lang": "en", "value": "Filament is a collection of full-stack components for accelerated Laravel development. Versions 4.0.0 through 4.8.4 and 5.0.0 through 5.3.4 have two Filament Table summarizers (Range, Values) that render raw database values without escaping HTML. If there is a lack of validation for the data in the columns that use these summarizers, an attacker could plant malicious HTML / JavaScript and achieve stored XSS that executes for users who view the table with those summarizers. This issue has been patched in versions 4.8.5 and 5.3.5."}], "source": {"advisory": "GHSA-vv3x-j2x5-36jc", "discovery": "UNKNOWN"}}}}

{}

{"cveTags": [], "descriptions": [{"lang": "en", "value": "Filament is a collection of full-stack components for accelerated Laravel development. Versions 4.0.0 through 4.8.4 and 5.0.0 through 5.3.4 have two Filament Table summarizers (Range, Values) that render raw database values without escaping HTML. If there is a lack of validation for the data in the columns that use these summarizers, an attacker could plant malicious HTML / JavaScript and achieve stored XSS that executes for users who view the table with those summarizers. This issue has been patched in versions 4.8.5 and 5.3.5."}], "id": "CVE-2026-33080", "lastModified": "2026-03-20T09:16:16.050", "metrics": {"cvssMetricV31": [{"cvssData": {"attackComplexity": "LOW", "attackVector": "NETWORK", "availabilityImpact": "NONE", "baseScore": 7.3, "baseSeverity": "HIGH", "confidentialityImpact": "HIGH", "integrityImpact": "HIGH", "privilegesRequired": "LOW", "scope": "UNCHANGED", "userInteraction": "REQUIRED", "vectorString": "CVSS:3.1/AV:N/AC:L/PR:L/UI:R/S:U/C:H/I:H/A:N", "version": "3.1"}, "exploitabilityScore": 2.1, "impactScore": 5.2, "source": "security-advisories@github.com", "type": "Secondary"}]}, "published": "2026-03-20T09:16:16.050", "references": [{"source": "security-advisories@github.com", "url": "https://github.com/filamentphp/filament/commit/efa041aeeb4b1a99acd48aaa05584993c926d1ed"}, {"source": "security-advisories@github.com", "url": "https://github.com/filamentphp/filament/releases/tag/v4.8.5"}, {"source": "security-advisories@github.com", "url": "https://github.com/filamentphp/filament/releases/tag/v5.3.5"}, {"source": "security-advisories@github.com", "url": "https://github.com/filamentphp/filament/security/advisories/GHSA-vv3x-j2x5-36jc"}], "sourceIdentifier": "security-advisories@github.com", "vulnStatus": "Received", "weaknesses": [{"description": [{"lang": "en", "value": "CWE-79"}, {"lang": "en", "value": "CWE-80"}], "source": "security-advisories@github.com", "type": "Primary"}]}

{}

{"analysis": {"en": {"generated_at": "2026-03-20T10:22:22.469570+00:00", "value": {"mitigation_remediation": ["Upgrade filamentphp:filament to version 4.8.5 or 5.3.5 or later"], "summary": {"action": "Immediate Patch", "impact": "Stored Cross\u2011Site Scripting (XSS)"}, "threat_synthesis": {"affected_systems": "The affected product is filamentphp:filament. Versions 4.0.0 through 4.8.4 and 5.0.0 through 5.3.4 are vulnerable. The issue is patched in version 4.8.5 and 5.3.5.", "description_and_impact": "Filament Table summarizers Range and Values render raw database values without escaping HTML, creating a stored XSS vulnerability. If a column that uses these summarizers contains data that has not been validated, an attacker can inject malicious HTML or JavaScript that will execute in the browsers of any user who views the table. The weakness is reflected in CWE\u201179 (Improper Neutralization of Input During Web Page Generation) and CWE\u201180 (Improper Neutralization of Input During HTML Generation).", "risk_and_exploitability": "The CVSS score is 7.3, indicating moderate to high severity. EPSS is not available and the vulnerability is not listed in the CISA KEV catalog. The likely attack vector is an attacker having the ability to insert or modify database entries that populate the summarizer columns; upon a victim's access to the affected table, the injected script executes in the victim\u2019s browser. This leads to potential theft of session cookies, credential hijacking, or redirection to malicious sites."}}}}, "created": "2026-03-20T10:36:29.405661+00:00", "updated": "2026-03-20T10:36:29.405688+00:00", "vendors": []}