CVE-2026-48500 | Filament is a collection of full-stack components for accele… | CVSS 6.5 MEDIUM

Description

Filament is a collection of full-stack components for accelerated Laravel development. From 3.0.0 until 3.3.52, 4.11.5, and 5.6.5, any schema can contain a file upload form field, so Filament applies Livewire's WithFileUploads trait to the Livewire component the schema is embedded in. However, some schemas, such as the panel login form, do not require file uploads, and exposing unauthenticated temporary file uploads on these components is not an acceptable risk. On these components, an unauthenticated attacker could upload arbitrary files to the application's temporary storage, which could be abused to exhaust disk space or inflate storage costs. This vulnerability is fixed in 3.3.52, 4.11.5, and 5.6.5.

Metadata

CVE ID: CVE-2026-48500
State: PUBLISHED
Assigner: GitHub_M
Reserved: 2026-05-21 15:33 UTC
Published: 2026-06-22 21:41 UTC
Last updated: 2026-06-22 21:41 UTC
Primary CWE: CWE-862
CWE-862: Missing Authorization
Vendor / Product: filamentphp / filament
Sources: cve.org · NVD

Severity & Metrics

6.5 MEDIUM CVSS 3.1

CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:L/A:L

Affected products (1)

Vendor	Product	Platform	Versions
filamentphp	filament	—	>= 3.0.0, < 3.3.52, >= 5.0.0, < 5.6.5, >= 4.0.0, < 4.11.5

Weakness (CWE)

CWE	Source	Description
CWE-862	cna	CWE-862: Missing Authorization

CVSS scores (1)

Score	Severity	Version	Source	Vector
6.5	MEDIUM	3.1	cna	CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:L/A:L

References (1)

https://github.com/filamentphp/filament/security/advisories/GHSA-44wp-g8f4-f4v5 https://github.com/filamentphp/filament/security/advisories/GHSA-44wp-g8f4-f4v5