CVE-2026-55409: filament stored XSS — HIGH

CISO Take

A stored cross-site scripting flaw in Filament's RichEditor component allows any low-privilege account holder to inject arbitrary JavaScript that executes silently the moment a higher-privileged user opens the same form record. Filament is broadly used to build admin portals and backoffice interfaces for web applications — including those serving as management layers for AI/ML systems, model registries, and compliance dashboards — making a hijacked admin session potentially catastrophic in scope. With CVSS 7.6 High and a Changed Scope vector (S:C), the impact escapes the vulnerable component: stolen session tokens can unlock model configuration, inference API keys, dataset pipelines, and audit-trail manipulation. Upgrade to Filament 3.3.53 immediately; no workaround short of sanitizing all data before it reaches RichEditor field state fully neutralises the risk.

Sources: NVD GitHub Advisory ATLAS

What is the risk?

CVSS 7.6 High with Changed Scope signals cross-component impact from a single form field compromise. Attack complexity is low, only low privileges are required to plant the payload, and the sole friction is a victim needing to view the affected form — a common workflow in any admin panel. No CISA KEV listing and absent EPSS data reduce the immediate exploitation probability, but stored XSS is a well-understood, trivially reproducible class with no novel skill requirement. For AI/ML organisations whose admin portal runs on Filament, an unpatched instance is a single credential away from full backoffice compromise.

How does the attack unfold?

Initial Access

Attacker authenticates with a low-privilege Filament account, gaining write access to forms containing RichEditor fields.

AML.T0012

Payload Injection

Attacker submits a form value embedding malicious HTML/JavaScript, which is persisted to the database without sanitization.

AML.T0049

Trigger Execution

A higher-privileged user opens the affected record; the disabled RichEditor renders raw stored HTML, executing the attacker's script in the victim's browser.

AML.T0011

Session Compromise

Attacker exfiltrates the admin session token and assumes full control of the AI system backoffice, including model configuration, inference API keys, and compliance artefacts.

AML.T0048.003

Initial Access

Attacker authenticates with a low-privilege Filament account, gaining write access to forms containing RichEditor fields.

AML.T0012

Payload Injection

Attacker submits a form value embedding malicious HTML/JavaScript, which is persisted to the database without sanitization.

AML.T0049

Trigger Execution

A higher-privileged user opens the affected record; the disabled RichEditor renders raw stored HTML, executing the attacker's script in the victim's browser.

AML.T0011

Session Compromise

Attacker exfiltrates the admin session token and assumes full control of the AI system backoffice, including model configuration, inference API keys, and compliance artefacts.

AML.T0048.003

What systems are affected?

Package	Ecosystem	Vulnerable Range	Patched
filament	—	—	No patch

Do you use filament? You're affected.

How severe is it?

CVSS 3.1

7.6 / 10

EPSS

N/A

Exploitation Status

No known exploitation

Sophistication

Trivial

What is the attack surface?

AV Network

AC Low

PR Low

UI Required

S Changed

C High

I Low

A None

What should I do?

5 steps

Upgrade Filament to 3.3.53 or later — the only definitive fix per the upstream advisory (GHSA-m9cv-24rx-8mv7).
Until patched, audit all forms containing RichEditor fields and treat any stored field state originating from user input as potentially malicious.
Enforce strict Content Security Policy (CSP) headers on Filament admin panels to constrain JavaScript execution surface.
Review admin audit logs for anomalous form submissions or privilege-escalation events from low-privilege accounts.
Rotate API keys, credentials, and session secrets accessible via the Filament admin interface if patch deployment is delayed beyond 24 hours.

How is it classified?

Auth Bypass Data Extraction Framework API AML.T0011 - User Execution AML.T0012 - Valid Accounts AML.T0048.003 - User Harm AML.T0049 - Exploit Public-Facing Application

Which compliance frameworks are affected?

This CVE is relevant to:

EU AI Act

Article 15 - Accuracy, robustness and cybersecurity

ISO 42001

A.10.1 - AI system security measures

NIST AI RMF

MANAGE-2.2 - Risk response for identified AI risks

OWASP LLM Top 10

LLM05:2025 - Improper Output Handling

Frequently Asked Questions

What is CVE-2026-55409?

A stored cross-site scripting flaw in Filament's RichEditor component allows any low-privilege account holder to inject arbitrary JavaScript that executes silently the moment a higher-privileged user opens the same form record. Filament is broadly used to build admin portals and backoffice interfaces for web applications — including those serving as management layers for AI/ML systems, model registries, and compliance dashboards — making a hijacked admin session potentially catastrophic in scope. With CVSS 7.6 High and a Changed Scope vector (S:C), the impact escapes the vulnerable component: stolen session tokens can unlock model configuration, inference API keys, dataset pipelines, and audit-trail manipulation. Upgrade to Filament 3.3.53 immediately; no workaround short of sanitizing all data before it reaches RichEditor field state fully neutralises the risk.

Is CVE-2026-55409 actively exploited?

No confirmed active exploitation of CVE-2026-55409 has been reported, but organizations should still patch proactively.

How to fix CVE-2026-55409?

1. Upgrade Filament to 3.3.53 or later — the only definitive fix per the upstream advisory (GHSA-m9cv-24rx-8mv7). 2. Until patched, audit all forms containing RichEditor fields and treat any stored field state originating from user input as potentially malicious. 3. Enforce strict Content Security Policy (CSP) headers on Filament admin panels to constrain JavaScript execution surface. 4. Review admin audit logs for anomalous form submissions or privilege-escalation events from low-privilege accounts. 5. Rotate API keys, credentials, and session secrets accessible via the Filament admin interface if patch deployment is delayed beyond 24 hours.

What systems are affected by CVE-2026-55409?

This vulnerability affects the following AI/ML architecture patterns: AI admin interfaces, MLOps dashboards, model management portals, AI compliance management systems.

What is the CVSS score for CVE-2026-55409?

CVE-2026-55409 has a CVSS v3.1 base score of 7.6 (HIGH).

What is the AI security impact?

Affected AI Architectures

AI admin interfacesMLOps dashboardsmodel management portalsAI compliance management systems

MITRE ATLAS Techniques

AML.T0011 User Execution

AML.T0012 Valid Accounts

AML.T0048.003 User Harm

AML.T0049 Exploit Public-Facing Application

Compliance Controls Affected

EU AI Act: Article 15

ISO 42001: A.10.1

NIST AI RMF: MANAGE-2.2

OWASP LLM Top 10: LLM05:2025

What are the technical details?

Original Advisory

Filament is a collection of full-stack components for accelerated Laravel development. From 3.0.0 until 3.3.53, a disabled RichEditor field rendered its raw state without sanitizing HTML. Where the data stored in this field's state isn't sanitized already when the form state was filled, an attacker could plant malicious HTML or JavaScript and achieve XSS that executes for users who view the form. This vulnerability is fixed in 3.3.53.

Exploitation Scenario

An attacker obtains a low-privilege Filament account on an AI system's admin portal — via credential stuffing, a public registration form, or a compromised team member account. They navigate to a model or dataset management record containing a RichEditor field and save a JavaScript payload that silently exfiltrates the viewer's session cookie to an attacker-controlled endpoint. When an administrator later opens the same record for review, the disabled RichEditor renders the raw stored HTML without sanitization, executing the payload in the admin's browser context. The attacker captures the session token, takes over the privileged account, and gains full control of the AI system backoffice: model configuration, inference API keys, user management, and compliance evidence packs.

Weaknesses (CWE)

CWE-79 Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting') Primary CWE-79 Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting')

CWE-79 — Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting'): The product does not neutralize or incorrectly neutralizes user-controllable input before it is placed in output that is used as a web page that is served to other users.

[Architecture and Design] Use a vetted library or framework that does not allow this weakness to occur or provides constructs that make this weakness easier to avoid [REF-1482]. Examples of libraries and frameworks that make it easier to generate properly encoded output include Microsoft's Anti-XSS library, the OWASP ESAPI Encoding module, and Apache Wicket.
[Implementation, Architecture and Design] Understand the context in which your data will be used and the encoding that will be expected. This is especially important when transmitting data between different components, or when generating outputs that can contain multiple encodings at the same time, such as web pages or multi-part mail messages. Study all expected communication protocols and data representations to determine the required encoding strategies. For any data that will be output to another web page, especially any data that was received from external inputs, use the appropriate encoding on all non-alphanumeric characters. Parts of the same output document may require different encodings, which will vary depending on whether the output is in the: etc. Note that HTML Entity Encoding is only appropriate for the HTML body. Consult the XSS Prevention Cheat Sheet [REF-724] for more details on the types of encoding and escaping that are needed. HTML body Element attributes (such as src="XYZ") URIs JavaScript sections Casca

Source: MITRE CWE corpus.