Most recent sightings.

https://vulnerability.circl.lu/sightings/feed Most recent sightings. 2026-06-27T17:57:09.718898+00:00 Vulnerability-Lookup info@circl.lu python-feedgen Contains only the most 10 recent sightings. https://vulnerability.circl.lu/sighting/79415609-b2c3-48f0-89c3-111e4f8aa647/export 79415609-b2c3-48f0-89c3-111e4f8aa647 2026-06-27T17:57:09.745674+00:00 Automation user https://cve.circl.lu/user/automation {"uuid": "79415609-b2c3-48f0-89c3-111e4f8aa647", "vulnerability_lookup_origin": "1a89b78e-f703-45f3-bb86-59eb712668bd", "author": "9f56dd64-161d-43a6-b9c3-555944290a09", "vulnerability": "CVE-2026-48167", "type": "seen", "source": "https://bsky.app/profile/cve.skyfleet.blue/post/3mow75wphmt2e", "content": "CVE-2026-48167 - Filament: Unvalidated ImageColumn and ImageEntry values can be used for XSS\nCVE ID : CVE-2026-48167\n \n Published : June 22, 2026, 9:43 p.m. | 2\u00a0hours ago\n \n Description : Filament is a collection of full-stack components for accelerated Laravel development. Fr...", "creation_timestamp": "2026-06-23T01:00:09.798421Z"} 2026-06-23T01:00:09.798421+00:00 https://vulnerability.circl.lu/sighting/2b6a0b2e-7d6f-4658-bc26-5e0581e54a20/export 2b6a0b2e-7d6f-4658-bc26-5e0581e54a20 2026-06-27T17:57:09.743820+00:00 Automation user https://cve.circl.lu/user/automation {"uuid": "2b6a0b2e-7d6f-4658-bc26-5e0581e54a20", "vulnerability_lookup_origin": "1a89b78e-f703-45f3-bb86-59eb712668bd", "author": "9f56dd64-161d-43a6-b9c3-555944290a09", "vulnerability": "CVE-2026-48167", "type": "seen", "source": "https://gist.github.com/alon710/ef60a8d2e003433e0632a30f0def6b96", "content": "# CVE-2026-48167: CVE-2026-48167: Stored Cross-Site Scripting (XSS) via Attribute Injection in Filament ImageColumn and ImageEntry\n\n> **CVSS Score:** 6.4\n> **Published:** 2026-06-23\n> **Full Report:** https://cvereports.com/reports/CVE-2026-48167\n\n## Summary\nFilament's ImageColumn (used in tables) and ImageEntry (used in infolists) components render database values inside HTML attributes without validation or sanitization. This allows an attacker to inject arbitrary HTML attributes, leading to Stored Cross-Site Scripting (XSS).\n\n## TL;DR\nAn HTML attribute injection vulnerability in Filament v4.x and v5.x allows authenticated users with database write privileges to inject arbitrary JavaScript payloads into image components, executing code in the security context of administrators viewing the record.\n\n## Technical Details\n\n- **CWE ID**: CWE-79 (Improper Neutralization of Input During Web Page Generation)\n- **Attack Vector**: Network / Low Privileges Required\n- **CVSS v3.1 Score**: 6.4\n- **EPSS Score**: 0.00148 (0.15% probability)\n- **Impact**: Stored Cross-Site Scripting (XSS)\n- **Exploit Status**: No active public exploits\n\n## Affected Systems\n\n- Laravel applications implementing Filament tables with ImageColumn components\n- Laravel applications implementing Filament infolists with ImageEntry components\n- **filament/tables**: >= 4.0.0, < 4.11.5 (Fixed in: `4.11.5`)\n- **filament/tables**: >= 5.0.0, < 5.6.5 (Fixed in: `5.6.5`)\n- **filament/infolists**: >= 4.0.0, < 4.11.5 (Fixed in: `4.11.5`)\n- **filament/infolists**: >= 5.0.0, < 5.6.5 (Fixed in: `5.6.5`)\n\n## Mitigation\n\n- Upgrade to patched upstream library versions\n- Verify and audit published local Blade template overrides\n- Enforce standard Content Security Policy (CSP) configurations restricting inline script executions\n- Validate user-provided image URLs prior to database persistence\n\n**Remediation Steps:**\n1. Run 'composer update filament/filament' in your terminal.\n2. Ensure package composer.json references >=4.11.5 or >=5.6.5.\n3. Inspect files in 'resources/views/vendor/filament' for raw unescaped output references.\n4. Query databases for potentially dangerous string entries inside columns rendered by ImageColumn components.\n\n## References\n\n- [GHSA-3fc8-8hp6-6jr4](https://github.com/filamentphp/filament/security/advisories/GHSA-3fc8-8hp6-6jr4)\n- [CVE-2026-48167 Authoritative CVE Record](https://www.cve.org/CVERecord?id=CVE-2026-48167)\n- [Filament Vulnerability Fix Commit](https://github.com/filamentphp/filament/commit/e1f36a7316d75476f3301e044cc360d7cb746c56)\n- [National Vulnerability Database Detail](https://nvd.nist.gov/vuln/detail/CVE-2026-48167)\n- [Official Package Repository](https://github.com/filamentphp/filament)\n\n\n---\n*Generated by [CVEReports](https://cvereports.com/reports/CVE-2026-48167) - Automated Vulnerability Intelligence*", "creation_timestamp": "2026-06-24T07:11:47.000000Z"} 2026-06-24T07:11:47+00:00