CVE-2026-33080
Received Received - Intake
Stored XSS in Filament Table Summarizers via Unescaped HTML

Publication date: 2026-03-20

Last updated on: 2026-03-23

Assigner: GitHub, Inc.

Description
Filament is a collection of full-stack components for accelerated Laravel development. Versions 4.0.0 through 4.8.4 and 5.0.0 through 5.3.4 have two Filament Table summarizers (Range, Values) that render raw database values without escaping HTML. If there is a lack of validation for the data in the columns that use these summarizers, an attacker could plant malicious HTML / JavaScript and achieve stored XSS that executes for users who view the table with those summarizers. This issue has been patched in versions 4.8.5 and 5.3.5.
CVSS Scores
EPSS Scores
Probability:
Percentile:
Meta Information
Published
2026-03-20
Last Modified
2026-03-23
Generated
2026-06-16
AI Q&A
2026-03-20
EPSS Evaluated
2026-06-15
NVD
CVE-2026-33080
Affected Vendors & Products
Showing 2 associated CPEs
Vendor Product Version / Range
filamentphp filament From 4.0.0 (inc) to 4.8.5 (exc)
filamentphp filament From 5.0.0 (inc) to 5.3.5 (exc)
Helpful Resources
Exploitability
CWE
CWE Icon
KEV
KEV Icon
CWE ID Description
CWE-79 The product does not neutralize or incorrectly neutralizes user-controllable input before it is placed in output that is used as a web page that is served to other users.
CWE-80 The product receives input from an upstream component, but it does not neutralize or incorrectly neutralizes special characters such as "<", ">", and "&" that could be interpreted as web-scripting elements when they are sent to a downstream component that processes web pages.
Attack-Flow Graph
AI Quick Actions
Instant insights powered by AI
Executive Summary

[{'type': 'paragraph', 'content': 'CVE-2026-33080 is a vulnerability in the Filament PHP framework affecting the Table package\'s summarizer components named "Range" and "Values." These summarizers render raw database values without escaping HTML, which means that if the data in the columns using these summarizers is not properly validated, an attacker can inject malicious HTML or JavaScript code.'}, {'type': 'paragraph', 'content': 'This injection leads to a stored Cross-Site Scripting (XSS) attack, where the malicious script executes in the browsers of users who view the affected tables. The vulnerability arises because special characters like <, >, and & are not properly escaped or neutralized, allowing script execution within the web page context.'}, {'type': 'paragraph', 'content': 'The issue has been fixed in Filament versions 4.8.5 and 5.3.5 by escaping the output in these summarizers to prevent unescaped HTML from being rendered.'}] [4, 2]

Impact Analysis

This vulnerability can have serious security impacts if exploited. An attacker who can insert malicious HTML or JavaScript into the database columns used by the vulnerable summarizers can execute stored XSS attacks.

When users view the affected tables, the malicious script runs in their browsers, potentially allowing the attacker to steal sensitive information, hijack user sessions, modify displayed content, or perform actions on behalf of the user.

The CVSS score of 7.3 indicates a high severity, with impacts including high confidentiality and integrity risks, although availability is not affected.

Compliance Impact

I don't know

Detection Guidance

[{'type': 'paragraph', 'content': 'This vulnerability involves unescaped HTML rendering in the Filament Table summarizers "Range" and "Values" in affected versions. Detection involves identifying if your system is running a vulnerable version of the Filament PHP framework (versions 4.0.0 through 4.8.4 or 5.0.0 through 5.3.4) and if any tables use these summarizers without proper data validation.'}, {'type': 'paragraph', 'content': 'Since the vulnerability is related to stored XSS via database values rendered without escaping, you can detect it by checking the version of the filament/tables package installed and inspecting tables that use the Range or Values summarizers for unescaped HTML content.'}, {'type': 'paragraph', 'content': 'Suggested commands to detect the vulnerable version on your system include:'}, {'type': 'list_item', 'content': 'Check the installed version of filament/tables via Composer: composer show filament/tables'}, {'type': 'list_item', 'content': "Search your codebase for usage of the Range and Values summarizers in tables, for example using grep: grep -r 'Range' path/to/your/project"}, {'type': 'list_item', 'content': 'Inspect database columns used by these summarizers for any suspicious or unescaped HTML content.'}, {'type': 'paragraph', 'content': 'There are no specific network commands or automated detection tools mentioned in the provided resources.'}] [4]

Mitigation Strategies

The primary mitigation step is to upgrade the Filament PHP framework to a patched version where this vulnerability is fixed.

  • Upgrade to version 4.8.5 or later if you are on the 4.x branch.
  • Upgrade to version 5.3.5 or later if you are on the 5.x branch.

These versions include fixes that escape the output in the Range and Values summarizers to prevent unescaped HTML rendering and thus mitigate stored XSS attacks.

Additionally, ensure that any data used in these summarizers is properly validated and sanitized before being stored or displayed.

Chat Assistant
Ask questions about this CVE
Hi! I’m here to help you understand CVE-2026-33080. Ask me anything about the vulnerability, its impact, or mitigation strategies.
0/70
EPSS Chart