GHSA-5w46-g9pq-wh6f
Suggest an improvement- Source
- https://github.com/advisories/GHSA-5w46-g9pq-wh6f
- Import Source
- https://github.com/github/advisory-database/blob/main/advisories/github-reviewed/2026/06/GHSA-5w46-g9pq-wh6f/GHSA-5w46-g9pq-wh6f.json
- JSON Data
- https://api.osv.dev/v1/vulns/GHSA-5w46-g9pq-wh6f
- Aliases
-
- CVE-2026-48166
- Published
- 2026-06-23T21:54:35Z
- Modified
- 2026-06-23T22:00:15.392170946Z
- Severity
-
- 5.3 (Medium) CVSS_V3 - CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:L/I:N/A:N CVSS Calculator
- Summary
- Filament: Timing-based user enumeration on login page
- Details
-
The login page has an observable timing discrepancy that allows unauthenticated attackers to enumerate registered email addresses. The impact is limited to disclosing whether an account exists for a given email.
- Database specific
{ "github_reviewed_at": "2026-06-23T21:54:35Z", "severity": "MODERATE", "cwe_ids": [ "CWE-208" ], "github_reviewed": true, "nvd_published_at": "2026-06-22T22:16:46Z" }- References
Affected packages
Packagist / filament/filament
Package
- Name
- filament/filament
- Purl
- pkg:composer/filament%2Ffilament
Affected versions
v4.*
v4.0.0
v4.0.1
v4.0.2
v4.0.3
v4.0.4
v4.0.5
v4.0.6
v4.0.7
v4.0.8
v4.0.9
v4.0.10
v4.0.11
v4.0.12
v4.0.13
v4.0.14
v4.0.15
v4.0.16
v4.0.17
v4.0.18
v4.0.19
v4.0.20
v4.1.0
v4.1.1
v4.1.2
v4.1.3
v4.1.4
v4.1.5
v4.1.6
v4.1.7
v4.1.8
v4.1.9
v4.1.10
v4.2.0
v4.2.1
v4.2.2
v4.2.3
v4.2.4
v4.3.0
v4.3.1
v4.4.0
v4.5.0
v4.5.1
v4.5.2
v4.5.3
v4.6.0
v4.6.1
v4.6.2
v4.6.3
v4.7.0
v4.7.1
v4.7.2
v4.7.3
v4.7.4
v4.8.0
v4.8.1
v4.8.2
v4.8.3
v4.8.4
v4.8.5
v4.9.0
v4.9.1
v4.9.2
v4.9.3
v4.9.4
v4.9.5
v4.10.0
v4.10.1
v4.10.2
v4.11.0
v4.11.1
v4.11.2
v4.11.3
v4.11.4
Packagist / filament/filament
Package
- Name
- filament/filament
- Purl
- pkg:composer/filament%2Ffilament