GHSA-7q3w-xqjw-g3cr

Suggest an improvement
Source
https://github.com/advisories/GHSA-7q3w-xqjw-g3cr
Import Source
https://github.com/github/advisory-database/blob/main/advisories/github-reviewed/2026/06/GHSA-7q3w-xqjw-g3cr/GHSA-7q3w-xqjw-g3cr.json
JSON Data
https://api.osv.dev/v1/vulns/GHSA-7q3w-xqjw-g3cr
Aliases
  • CVE-2026-48067
Published
2026-06-11T20:26:07Z
Modified
2026-06-11T20:30:08.592810754Z
Severity
  • 6.5 (Medium) CVSS_V3 - CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:N/I:H/A:N CVSS Calculator
Summary
Filament has inconsistent scope enforcement for its AttachAction and AssociateAction Select fields
Details

The recordSelectOptionsQuery() method may be used to scope the options available in the Select field for AttachAction and AssociateAction. However, the built-in validation rule for these fields did not apply the same scope. As a result, a user who can trigger these actions could tamper with the Livewire component's state and submit an out-of-scope value.

Database specific 
{
    "github_reviewed_at": "2026-06-11T20:26:07Z",
    "severity": "MODERATE",
    "cwe_ids": [
        "CWE-639"
    ],
    "nvd_published_at": null,
    "github_reviewed": true
}
References

Affected packages

Packagist / filament/tables

Package

Name
filament/tables
Purl
pkg:composer/filament%2Ftables

Affected ranges

Type
ECOSYSTEM
Events
Introduced
3.0.0
Fixed
3.3.51

Affected versions

v3.*
v3.0.0
v3.0.1
v3.0.2
v3.0.3
v3.0.4
v3.0.5
v3.0.6
v3.0.7
v3.0.8
v3.0.9
v3.0.10
v3.0.11
v3.0.12
v3.0.13
v3.0.14
v3.0.15
v3.0.16
v3.0.17
v3.0.18
v3.0.19
v3.0.20
v3.0.21
v3.0.22
v3.0.23
v3.0.24
v3.0.25
v3.0.26
v3.0.27
v3.0.28
v3.0.29
v3.0.30
v3.0.31
v3.0.32
v3.0.33
v3.0.34
v3.0.35
v3.0.36
v3.0.37
v3.0.38
v3.0.39
v3.0.40
v3.0.41
v3.0.42
v3.0.43
v3.0.44
v3.0.45
v3.0.46
v3.0.47
v3.0.48
v3.0.49
v3.0.50
v3.0.51
v3.0.52
v3.0.53
v3.0.54
v3.0.55
v3.0.56
v3.0.57
v3.0.58
v3.0.59
v3.0.60
v3.0.61
v3.0.62
v3.0.63
v3.0.64
v3.0.65
v3.0.66
v3.0.67
v3.0.68
v3.0.69
v3.0.70
v3.0.71
v3.0.72
v3.0.73
v3.0.74
v3.0.75
v3.0.76
v3.0.77
v3.0.78
v3.0.79
v3.0.80
v3.0.81
v3.0.82
v3.0.83
v3.0.84
v3.0.85
v3.0.86
v3.0.87
v3.0.88
v3.0.89
v3.0.90
v3.0.91
v3.0.92
v3.0.93
v3.0.94
v3.0.95
v3.0.96
v3.0.97
v3.0.98
v3.0.99
v3.0.100
v3.0.101
v3.0.102
v3.0.103
v3.1.0-alpha1
v3.1.0-alpha2
v3.1.0-alpha3
v3.1.0-alpha4
v3.1.0
v3.1.1
v3.1.2
v3.1.3
v3.1.4
v3.1.5
v3.1.6
v3.1.7
v3.1.8
v3.1.9
v3.1.10
v3.1.11
v3.1.12
v3.1.13
v3.1.14
v3.1.15
v3.1.16
v3.1.17
v3.1.18
v3.1.19
v3.1.20
v3.1.21
v3.1.22
v3.1.23
v3.1.24
v3.1.25
v3.1.26
v3.1.27
v3.1.28
v3.1.29
v3.1.30
v3.1.31
v3.1.32
v3.1.33
v3.1.34
v3.1.35
v3.1.36
v3.1.37
v3.1.39
v3.1.40
v3.1.41
v3.1.42
v3.1.43
v3.1.44
v3.1.45
v3.1.46
v3.1.47
v3.2.0
v3.2.1
v3.2.2
v3.2.3
v3.2.4
v3.2.5
v3.2.6
v3.2.7
v3.2.8
v3.2.9
v3.2.10
v3.2.11
v3.2.12
v3.2.13
v3.2.14
v3.2.15
v3.2.16
v3.2.17
v3.2.18
v3.2.19
v3.2.20
v3.2.21
v3.2.22
v3.2.23
v3.2.24
v3.2.25-beta1
v3.2.25
v3.2.26
v3.2.27
v3.2.28
v3.2.29
v3.2.30
v3.2.31
v3.2.32
v3.2.33
v3.2.34
v3.2.35
v3.2.36
v3.2.37
v3.2.38
v3.2.39
v3.2.40
v3.2.41
v3.2.42
v3.2.43
v3.2.44
v3.2.45
v3.2.46
v3.2.47
v3.2.48
v3.2.49
v3.2.50
v3.2.51
v3.2.52
v3.2.53
v3.2.54
v3.2.55
v3.2.56
v3.2.57
v3.2.58
v3.2.59
v3.2.60
v3.2.61
v3.2.62
v3.2.63
v3.2.64
v3.2.65
v3.2.66
v3.2.67
v3.2.68
v3.2.69
v3.2.70
v3.2.71
v3.2.72
v3.2.73
v3.2.74
v3.2.75
v3.2.76
v3.2.77
v3.2.78
v3.2.79
v3.2.80
v3.2.81
v3.2.82
v3.2.83
v3.2.84
v3.2.85
v3.2.86
v3.2.87-beta1
v3.2.87
v3.2.88
v3.2.89
v3.2.90
v3.2.91
v3.2.92
v3.2.93
v3.2.94
v3.2.95
v3.2.96
v3.2.97
v3.2.98
v3.2.99
v3.2.100
v3.2.101
v3.2.102
v3.2.103
v3.2.104
v3.2.105
v3.2.106
v3.2.107
v3.2.108
v3.2.109
v3.2.110
v3.2.111
v3.2.112
v3.2.113
v3.2.114
v3.2.115
v3.2.116
v3.2.117
v3.2.118
v3.2.119
v3.2.120
v3.2.121
v3.2.122
v3.2.123
v3.2.124
v3.2.125
v3.2.126
v3.2.127
v3.2.128
v3.2.129
v3.2.130
v3.2.131
v3.2.132
v3.2.133
v3.2.134
v3.2.135
v3.2.136
v3.2.137
v3.2.138
v3.2.139
v3.2.140
v3.2.141
v3.2.142
v3.3.0
v3.3.1
v3.3.2
v3.3.3
v3.3.4
v3.3.5
v3.3.6
v3.3.7
v3.3.8
v3.3.9
v3.3.10
v3.3.11
v3.3.12
v3.3.13
v3.3.14
v3.3.15
v3.3.16
v3.3.17
v3.3.18
v3.3.19
v3.3.20
v3.3.21
v3.3.22
v3.3.23
v3.3.24
v3.3.25
v3.3.26
v3.3.27
v3.3.28
v3.3.29
v3.3.30
v3.3.31
v3.3.32
v3.3.33
v3.3.34
v3.3.35
v3.3.36
v3.3.37
v3.3.38
v3.3.39
v3.3.40
v3.3.41
v3.3.42
v3.3.43
v3.3.45
v3.3.46
v3.3.47
v3.3.48
v3.3.49
v3.3.50

Database specific

source 
"https://github.com/github/advisory-database/blob/main/advisories/github-reviewed/2026/06/GHSA-7q3w-xqjw-g3cr/GHSA-7q3w-xqjw-g3cr.json"
last_known_affected_version_range 
"<= 3.3.50"

Packagist / filament/actions

Package

Name
filament/actions
Purl
pkg:composer/filament%2Factions

Affected ranges

Type
ECOSYSTEM
Events
Introduced
4.0.0
Fixed
4.11.4

Affected versions

v4.*
v4.0.0
v4.0.1
v4.0.2
v4.0.3
v4.0.4
v4.0.5
v4.0.6
v4.0.7
v4.0.8
v4.0.9
v4.0.10
v4.0.11
v4.0.12
v4.0.13
v4.0.14
v4.0.15
v4.0.16
v4.0.17
v4.0.18
v4.0.19
v4.0.20
v4.1.0
v4.1.1
v4.1.2
v4.1.3
v4.1.4
v4.1.5
v4.1.6
v4.1.7
v4.1.8
v4.1.9
v4.1.10
v4.2.0
v4.2.1
v4.2.2
v4.2.3
v4.2.4
v4.3.0
v4.3.1
v4.4.0
v4.5.0
v4.5.1
v4.5.2
v4.5.3
v4.6.0
v4.6.1
v4.6.2
v4.6.3
v4.7.0
v4.7.1
v4.7.2
v4.7.3
v4.7.4
v4.8.0
v4.8.1
v4.8.2
v4.8.3
v4.8.4
v4.8.5
v4.9.0
v4.9.1
v4.9.2
v4.9.3
v4.9.4
v4.9.5
v4.10.0
v4.10.1
v4.10.2
v4.11.0
v4.11.1
v4.11.2
v4.11.3

Database specific

source 
"https://github.com/github/advisory-database/blob/main/advisories/github-reviewed/2026/06/GHSA-7q3w-xqjw-g3cr/GHSA-7q3w-xqjw-g3cr.json"
last_known_affected_version_range 
"<= 4.11.3"

Packagist / filament/actions

Package

Name
filament/actions
Purl
pkg:composer/filament%2Factions

Affected ranges

Type
ECOSYSTEM
Events
Introduced
5.0.0
Fixed
5.6.4

Affected versions

v5.*
v5.0.0
v5.1.0
v5.1.1
v5.1.2
v5.1.3
v5.2.0
v5.2.1
v5.2.2
v5.2.3
v5.2.4
v5.3.0
v5.3.1
v5.3.2
v5.3.3
v5.3.4
v5.3.5
v5.4.0
v5.4.1
v5.4.2
v5.4.3
v5.4.4
v5.4.5
v5.5.0
v5.5.1
v5.5.2
v5.6.0
v5.6.1
v5.6.2
v5.6.3

Database specific

source 
"https://github.com/github/advisory-database/blob/main/advisories/github-reviewed/2026/06/GHSA-7q3w-xqjw-g3cr/GHSA-7q3w-xqjw-g3cr.json"
last_known_affected_version_range 
"<= 5.6.3"