CVE-2026-33080 Overview
CVE-2026-33080 is a stored Cross-Site Scripting (XSS) vulnerability affecting Filament, a popular collection of full-stack components designed for accelerated Laravel development. The vulnerability exists in two Filament Table summarizers—Range and Values—which render raw database values without proper HTML escaping. When applications lack proper input validation for columns using these summarizers, attackers can inject malicious HTML or JavaScript that executes in the browsers of users viewing the affected tables.
Critical Impact
Successful exploitation allows attackers to execute arbitrary JavaScript in the context of authenticated users viewing Filament admin panels, potentially leading to session hijacking, credential theft, or unauthorized actions performed on behalf of victims.
Affected Products
- Filament versions 4.0.0 through 4.8.4
- Filament versions 5.0.0 through 5.3.4
- Laravel applications using vulnerable Filament Table summarizers (Range, Values)
Discovery Timeline
- 2026-03-20 - CVE CVE-2026-33080 published to NVD
- 2026-03-23 - Last updated in NVD database
Technical Details for CVE-2026-33080
Vulnerability Analysis
This stored XSS vulnerability arises from improper output encoding in the Filament Table component's summarizer functionality. Specifically, the Range and Values summarizers directly render database-sourced content into HTML without sanitization. This design assumes that all database content is trusted, which is a dangerous assumption in applications where user-controlled input is stored in database columns displayed by these summarizers.
The vulnerability is classified under CWE-79 (Improper Neutralization of Input During Web Page Generation). The attack requires low privileges to plant malicious payloads and user interaction for the XSS to trigger when an administrator or user views the affected table.
Root Cause
The root cause is insufficient output encoding in the Range and Values table summarizers within Filament's table component. These summarizers retrieve values from the database and render them directly into the HTML response without escaping special characters like <, >, ", and '. This allows HTML and JavaScript code stored in database fields to be interpreted as executable code by the browser rather than displayed as plain text.
Attack Vector
The attack follows a stored XSS pattern where an attacker with the ability to insert data into database fields—either through legitimate application functionality or other vulnerabilities—can plant malicious payloads. When an administrator or user accesses a Filament admin panel table that uses the Range or Values summarizers on the compromised column, the malicious script executes in their browser context.
The exploitation mechanism involves injecting JavaScript payloads such as <script> tags or event handlers into database fields that are subsequently displayed through the vulnerable summarizers. For detailed technical information, refer to the GitHub Security Advisory GHSA-vv3x-j2x5-36jc.
Detection Methods for CVE-2026-33080
Indicators of Compromise
- Unusual JavaScript or HTML tags appearing in database fields that are rendered by Filament Table summarizers
- Unexpected outbound network requests from admin user sessions to unknown domains
- Reports of suspicious behavior when users view specific Filament tables
- Database entries containing encoded or obfuscated script content
Detection Strategies
- Audit database columns used with Range and Values summarizers for suspicious HTML/JavaScript content
- Monitor browser console logs and network traffic for signs of XSS payload execution
- Review application logs for unusual data submissions that may contain script tags
- Implement Content Security Policy (CSP) headers to detect and block inline script execution attempts
Monitoring Recommendations
- Enable CSP reporting to capture violations indicating potential XSS exploitation attempts
- Monitor authentication and session-related activities for anomalies following table views
- Set up alerts for database insertions containing common XSS patterns such as <script>, javascript:, or event handlers
- Regularly audit Filament table configurations to identify summarizers processing user-controlled data
How to Mitigate CVE-2026-33080
Immediate Actions Required
- Upgrade Filament to version 4.8.5 or 5.3.5 immediately to apply the security patch
- Audit all existing database records in columns displayed by Range and Values summarizers for malicious content
- Implement strict input validation and sanitization for all user-controllable fields
- Review and harden Content Security Policy headers to mitigate XSS impact
Patch Information
The vulnerability has been patched in Filament versions 4.8.5 and 5.3.5. The fix ensures proper HTML escaping of values rendered by the Range and Values summarizers. The patch commit is available at the GitHub Commit Details.
For version 4.x users, upgrade to v4.8.5. For version 5.x users, upgrade to v5.3.5.
Workarounds
- Implement server-side input validation to reject HTML and JavaScript in fields processed by table summarizers
- Apply manual HTML encoding to data before storage in affected columns
- Use custom summarizers that explicitly escape output until the official patch can be applied
- Implement strict Content Security Policy headers to prevent inline script execution as a defense-in-depth measure
# Upgrade Filament using Composer
composer require filament/filament:"^4.8.5"
# or for version 5.x
composer require filament/filament:"^5.3.5"
Disclaimer: This content was generated using AI. While we strive for accuracy, please verify critical information with official sources.
