CVE-2026-48500
MediumCVSS 6.5Exploitation Probability (EPSS)
Low risk11th percentile — higher than 11% of all known CVEs
Summary
Filament, a collection of components for accelerated Laravel development, has a vulnerability that allows unauthenticated users to upload files in certain forms, such as the login form. This could lead to unauthorized access to the application's temporary storage.
Risk Assessment
Unauthenticated attackers could exploit this vulnerability to upload arbitrary files, potentially exhausting disk space or inflating storage costs. This poses a serious security risk to the application.
Recommendation
It is recommended to update Filament to versions 3.3.52, 4.11.5, or 5.6.5 to mitigate this vulnerability. Additionally, review forms that do not require file uploads to minimize risk.
Original NVD description (English source)
Filament is a collection of full-stack components for accelerated Laravel development. From 3.0.0 until 3.3.52, 4.11.5, and 5.6.5, any schema can contain a file upload form field, so Filament applies Livewire's WithFileUploads trait to the Livewire component the schema is embedded in. However, some schemas, such as the panel login form, do not require file uploads, and exposing unauthenticated temporary file uploads on these components is not an acceptable risk. On these components, an unauthenticated attacker could upload arbitrary files to the application's temporary storage, which could be abused to exhaust disk space or inflate storage costs. This vulnerability is fixed in 3.3.52, 4.11.5, and 5.6.5.

