Filament is a collection of full-stack components for accelerated Laravel development. From 3.0.0 until 3.3.53, a disabled RichEditor field rendered its raw state without sanitizing HTML. Where the data stored in this field's state isn't sanitized already when the form state was filled, an attacker could plant malicious HTML or JavaScript and achieve XSS that executes for users who view the form. This vulnerability is fixed in 3.3.53.
Default status is the baseline for the product, each version can override it (e.g. patched versions marked unaffected).
| Vendor | Product | Default status | Versions | ||||||
|---|---|---|---|---|---|---|---|---|---|
| filamentphp | filament | affected |
|
No data.
No data.
No data.
Project Subscriptions
No data.
Advisories
| Source | ID | Title |
|---|---|---|
 Github GHSA |
GHSA-m9cv-24rx-8mv7 | Filament: Disabled RichEditor field state can be used for XSS |
Fixes
Solution
No solution given by the vendor.
Workaround
No workaround given by the vendor.
References
History
Mon, 22 Jun 2026 22:00:00 +0000
| Type | Values Removed | Values Added |
|---|---|---|
| Description | Filament is a collection of full-stack components for accelerated Laravel development. From 3.0.0 until 3.3.53, a disabled RichEditor field rendered its raw state without sanitizing HTML. Where the data stored in this field's state isn't sanitized already when the form state was filled, an attacker could plant malicious HTML or JavaScript and achieve XSS that executes for users who view the form. This vulnerability is fixed in 3.3.53. | |
| Title | Filament: Disabled RichEditor field state can be used for XSS | |
| Weaknesses | CWE-79 | |
| References |
| |
| Metrics |
cvssV3_1
|
Projects
Sign in to view the affected projects.
MITRE
Status: PUBLISHED
Assigner: GitHub_M
Published:
Updated: 2026-06-22T21:47:51.607Z
Reserved: 2026-06-16T21:48:43.124Z
Link: CVE-2026-55409
Vulnrichment
No data.
NVD
No data.
Redhat
No data.
OpenCVE Enrichment
No data.
Weaknesses