filamentphp filament up to 3.3.51/4.11.4/5.6.4 Livewire authorization

Summaryinfo

A vulnerability classified as critical was found in filamentphp filament up to 3.3.51/4.11.4/5.6.4. Affected by this vulnerability is an unknown functionality of the component Livewire. The manipulation results in authorization. This vulnerability is cataloged as CVE-2026-48500. The attack may be launched remotely. There is no exploit available. Upgrading the affected component is advised.

Detailsinfo

A vulnerability classified as critical has been found in filamentphp filament up to 3.3.51/4.11.4/5.6.4. Affected is an unknown function of the component Livewire. The manipulation with an unknown input leads to a authorization vulnerability. CWE is classifying the issue as CWE-862. The product does not perform an authorization check when an actor attempts to access a resource or perform an action. This is going to have an impact on integrity, and availability. CVE summarizes:

Filament is a collection of full-stack components for accelerated Laravel development. From 3.0.0 until 3.3.52, 4.11.5, and 5.6.5, any schema can contain a file upload form field, so Filament applies Livewire's WithFileUploads trait to the Livewire component the schema is embedded in. However, some schemas, such as the panel login form, do not require file uploads, and exposing unauthenticated temporary file uploads on these components is not an acceptable risk. On these components, an unauthenticated attacker could upload arbitrary files to the application's temporary storage, which could be abused to exhaust disk space or inflate storage costs. This vulnerability is fixed in 3.3.52, 4.11.5, and 5.6.5.

The advisory is available at github.com. This vulnerability is traded as CVE-2026-48500 since 05/21/2026. The exploitability is told to be easy. It is possible to launch the attack remotely. The exploitation doesn't require any form of authentication. The technical details are unknown and an exploit is not available.

Upgrading to version 3.3.52, 4.11.5 or 5.6.5 eliminates this vulnerability.

The vulnerability is also documented in the vulnerability database at EUVD (EUVD-2026-38394). If you want to get best quality of vulnerability data, you may have to visit VulDB.

Productinfo

Vendor

• filamentphp

Name

• filament

Version

• 3.3.0
• 3.3.1
• 3.3.2
• 3.3.3
• 3.3.4
• 3.3.5
• 3.3.6
• 3.3.7
• 3.3.8
• 3.3.9
• 3.3.10
• 3.3.11
• 3.3.12
• 3.3.13
• 3.3.14
• 3.3.15
• 3.3.16
• 3.3.17
• 3.3.18
• 3.3.19
• 3.3.20
• 3.3.21
• 3.3.22
• 3.3.23
• 3.3.24
• 3.3.25
• 3.3.26
• 3.3.27
• 3.3.28
• 3.3.29
• 3.3.30
• 3.3.31
• 3.3.32
• 3.3.33
• 3.3.34
• 3.3.35
• 3.3.36
• 3.3.37
• 3.3.38
• 3.3.39
• 3.3.40
• 3.3.41
• 3.3.42
• 3.3.43
• 3.3.44
• 3.3.45
• 3.3.46
• 3.3.47
• 3.3.48
• 3.3.49
• 3.3.50
• 3.3.51
• 4.11.0
• 4.11.1
• 4.11.2
• 4.11.3
• 4.11.4
• 5.6.0
• 5.6.1
• 5.6.2
• 5.6.3
• 5.6.4

Website

• Product: https://github.com/filamentphp/filament/

CPE 2.3info

• 🔒
• 🔒
• 🔒

CPE 2.2info

• 🔒
• 🔒
• 🔒

CVSSv4info

CVSSv3info

CVSSv2info

Exploitinginfo

Threat Intelligenceinfo

Countermeasuresinfo

Timelineinfo

Sourcesinfo

Entryinfo

If you want to get best quality of vulnerability data, you may have to visit VulDB.

Discussion