High severity7.6NVD Advisory· Published Jun 17, 2026· Updated Jun 17, 2026

Filament: Disabled RichEditor field state can be used for XSS

CVE-2026-55409

Description

In Filament v3, a disabled RichEditor field rendered its raw state without sanitizing HTML. Where the data stored in this field's state isn't sanitized already when the form state was filled, an attacker could plant malicious HTML or JavaScript and achieve XSS that executes for users who view the form.

Please note that Filament v4 and above does not use the same mechanism for rendering a disabled RichEditor so this advisory does not apply.

AI Insight

LLM-synthesized narrative grounded in this CVE's description and references.

Affected products

Filamentphp/Filamentllm-fuzzy
Range: 3.x
ghsa-coords
pkg:composer/filament/forms
Range: >= 3.0.0, < 3.3.53

Patches

Vulnerability mechanics

No source-code context for this CVE — mechanics is only generated when we can read the actual fix diff. Without that, the four sections (root cause, attack vector, affected code, fix) would be speculation rather than analysis.

References

News mentions

No linked articles in our index yet.

cvss	0.455
epss	0.000
exploit	0.000
kev	0.000
patch	-0.070
ransomware	0.000