CVE-2026-33080
Published: 20 March 2026
Summary
CVE-2026-33080 is a high-severity Cross-site Scripting (CWE-79) vulnerability in Filamentphp Filament. Its CVSS base score is 7.3 (High).
Operationally, exploitation aligns with the MITRE ATT&CK technique Browser Session Hijacking (T1185); ranked at the 6.5th percentile by exploit likelihood (below the median); it is not currently listed in the CISA KEV catalog.
The strongest mitigations our analysis identified are NIST 800-53 SI-10 (Information Input Validation) and SI-15 (Information Output Filtering).
Threat & Defense at a Glance
Threat & Defense Details
Mitigating Controls (NIST 800-53 r5)AI
SI-15 requires filtering or escaping output prior to rendering, directly preventing the stored XSS by neutralizing malicious HTML/JS in Filament table summarizers.
SI-10 enforces input validation on data inserted into database columns, blocking malicious HTML/JS payloads before storage in vulnerable Filament summarizers.
SI-2 mandates timely flaw remediation, such as patching Filament to versions 4.8.5 or 5.3.5 that implement HTML escaping for the affected summarizers.
MITRE ATT&CK Enterprise TechniquesAI
Why these techniques?
Stored XSS directly enables script injection in victim browsers for session hijacking (T1185) and cookie theft (T1539) leading to unauthorized actions as described.
NVD Description
Filament is a collection of full-stack components for accelerated Laravel development. Versions 4.0.0 through 4.8.4 and 5.0.0 through 5.3.4 have two Filament Table summarizers (Range, Values) that render raw database values without escaping HTML. If there is a lack of…
more
validation for the data in the columns that use these summarizers, an attacker could plant malicious HTML / JavaScript and achieve stored XSS that executes for users who view the table with those summarizers. This issue has been patched in versions 4.8.5 and 5.3.5.
Deeper analysisAI
CVE-2026-33080 is a stored cross-site scripting (XSS) vulnerability (CWE-79, CWE-80) in Filament, a collection of full-stack components for accelerated Laravel development. The issue affects the Range and Values table summarizers in versions 4.0.0 through 4.8.4 and 5.0.0 through 5.3.4, which render raw database values without escaping HTML. This flaw arises when there is insufficient validation of data in columns using these summarizers, allowing malicious HTML or JavaScript to be stored and rendered. The vulnerability has a CVSS v3.1 base score of 7.3 (AV:N/AC:L/PR:L/UI:R/S:U/C:H/I:H/A:N).
An attacker with low privileges, such as an authenticated user able to insert data into affected table columns, can exploit this by planting malicious payloads in the database. When administrators or other users view the table with the vulnerable summarizers enabled, the payload executes in their browsers, leading to stored XSS. Successful exploitation enables high-impact confidentiality and integrity violations, such as session hijacking, data theft, or unauthorized actions on behalf of the victim, though it requires user interaction and does not affect availability.
The Filament security advisory (GHSA-vv3x-j2x5-36jc) and related GitHub references confirm the issue has been addressed in versions 4.8.5 and 5.3.5 via a specific commit (efa041aeeb4b1a99acd48aaa05584993c926d1ed) that implements proper HTML escaping. Security practitioners should upgrade to these patched versions immediately and review custom table implementations for adequate input validation on summarizer columns to mitigate risks in unpatched environments.
Details
- CWE(s)