High severityNVD Advisory· Published Mar 20, 2026· Updated Mar 25, 2026

Filament: Unvalidated Range and Values summarizer values can be used for XSS

CVE-2026-33080

Description

Filament is a collection of full-stack components for accelerated Laravel development. Versions 4.0.0 through 4.8.4 and 5.0.0 through 5.3.4 have two Filament Table summarizers (Range, Values) that render raw database values without escaping HTML. If there is a lack of validation for the data in the columns that use these summarizers, an attacker could plant malicious HTML / JavaScript and achieve stored XSS that executes for users who view the table with those summarizers. This issue has been patched in versions 4.8.5 and 5.3.5.

AI Insight

LLM-synthesized narrative grounded in this CVE's description and references.

Filament Table Range and Values summarizers escape HTML before rendering, enabling stored XSS if database values are unvalidated; patched in v4.8.5 and v5.3.5.

Vulnerability

Overview

CVE-2026-33080 affects Filament, a full-stack component library for Laravel. Versions 4.0.0 through 4.8.4 and 5.0.0 through 5.3.4 contain two Table summarizers—Range and Values—that render raw database values without HTML escaping [1]. If the data in columns using these summarizers is not properly validated, an attacker can inject malicious HTML or JavaScript into the database, leading to stored cross-site scripting (XSS) when users view the table [1][3].

Exploitation

Details

The vulnerability originates from missing e() (Laravel's HTML escaping helper) in the summarizer rendering code. The advisory notes that an attacker with the ability to insert unvalidated data into a column that uses these summarizers can plant a payload. No authentication or specific privileges are required beyond whatever access normal data entry requires, but the attack vector is remote and the complexity is low [3]. The XSS payload executes in the context of any user who views the affected table, including administrators [1].

Impact

Successful exploitation permits stored XSS, enabling an attacker to steal session cookies, perform actions on behalf of the victim, deface pages, or exfiltrate sensitive data. Since the XSS is stored, it persists until the malicious data is removed or the summarizer is fixed, potentially affecting multiple users over time [1][3].

Mitigation

The vulnerability has been patched in Filament versions 4.8.5 and 5.3.5. The fix (commit efa041ae) adds e() calls around $from, $to, and formatState() outputs in the Range and Values summarizers, ensuring HTML entities are escaped [4]. Users should upgrade to the patched versions immediately. No workarounds are documented; the recommended action is application of the security update [1][3].

References

AI Insight generated on May 18, 2026. Synthesized from this CVE's description and the cited reference URLs; citations are validated against the source bundle.

Affected packages

Versions sourced from the GitHub Security Advisory.

Package	Affected versions	Patched versions
filament/tablesPackagist	>= 4.0.0, < 4.8.5	4.8.5
filament/tablesPackagist	>= 5.0.0, < 5.3.5	5.3.5

Affected products

Filamentphp/Filamentllm-fuzzy2 versions
>=4.0.0 <=4.8.4, >=5.0.0 <=5.3.4+ 1 more
- (no CPE)range: >=4.0.0 <=4.8.4, >=5.0.0 <=5.3.4
- (no CPE)range: >= 4.0.0, < 4.8.5

Patches

efa041aeeb4b

fix: Escaping range and values summarizer state (#19502)

https://github.com/filamentphp/filamentDan HarrinMar 14, 2026via ghsa

commit

2 files changed · +3 −3

packages/tables/src/Columns/Summarizers/Range.php+2 −2 modified

@@ -155,11 +155,11 @@ public function toEmbeddedHtml(): string
 
             <?php if (filled($from) || filled($to)) { ?>
                 <span>
-                    <?= $from ?>
+                    <?= e($from) ?>
 
                     <?= (filled($from) && filled($to)) ? '-' : '' ?>
 
-                    <?= $to ?>
+                    <?= e($to) ?>
                 </span>
             <?php } ?>
         </div>

packages/tables/src/Columns/Summarizers/Values.php+1 −1 modified

@@ -47,7 +47,7 @@ public function toEmbeddedHtml(): string
                 <ul <?= $this->isBulleted() ? 'class="fi-bulleted"' : '' ?>>
                     <?php foreach ($state as $stateItem) { ?>
                         <li>
-                            <?= $this->formatState($stateItem) ?>
+                            <?= e($this->formatState($stateItem)) ?>
                         </li>
                     <?php } ?>
                 </ul>

Vulnerability mechanics

Generated on May 9, 2026. Inputs: CWE entries + fix-commit diffs from this CVE's patches. Citations validated against bundle.

References

github.com/advisories/GHSA-vv3x-j2x5-36jcghsaADVISORY
nvd.nist.gov/vuln/detail/CVE-2026-33080ghsaADVISORY
github.com/filamentphp/filament/commit/efa041aeeb4b1a99acd48aaa05584993c926d1edghsax_refsource_MISCWEB
github.com/filamentphp/filament/releases/tag/v4.8.5ghsax_refsource_MISCWEB
github.com/filamentphp/filament/releases/tag/v5.3.5ghsax_refsource_MISCWEB
github.com/filamentphp/filament/security/advisories/GHSA-vv3x-j2x5-36jcghsax_refsource_CONFIRMWEB

News mentions

No linked articles in our index yet.

cvss	0.455
epss	0.000
exploit	0.000
kev	0.000
patch	-0.070
ransomware	0.000