GHSA-3fc8-8hp6-6jr4

Suggest an improvement
Source
https://github.com/advisories/GHSA-3fc8-8hp6-6jr4
Import Source
https://github.com/github/advisory-database/blob/main/advisories/github-reviewed/2026/06/GHSA-3fc8-8hp6-6jr4/GHSA-3fc8-8hp6-6jr4.json
JSON Data
https://api.osv.dev/v1/vulns/GHSA-3fc8-8hp6-6jr4
Aliases
  • CVE-2026-48167
Published
2026-06-23T21:57:49Z
Modified
2026-06-23T22:00:15.429014834Z
Severity
  • 6.4 (Medium) CVSS_V3 - CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:C/C:L/I:L/A:N CVSS Calculator
Summary
Filament: Unvalidated ImageColumn and ImageEntry values can be used for XSS
Details

The ImageColumn and ImageEntry components render raw database values without escaping HTML. Where the data passed to these components isn't validated, an attacker could plant malicious HTML or JavaScript and achieve stored XSS that executes for users who view the table or schema.

Database specific 
{
    "github_reviewed_at": "2026-06-23T21:57:49Z",
    "severity": "MODERATE",
    "cwe_ids": [
        "CWE-79"
    ],
    "nvd_published_at": "2026-06-22T22:16:46Z",
    "github_reviewed": true
}
References

Affected packages

Packagist / filament/infolists

Package

Name
filament/infolists
Purl
pkg:composer/filament%2Finfolists

Affected ranges

Type
ECOSYSTEM
Events
Introduced
4.0.0
Fixed
4.11.5

Affected versions

v4.*
v4.0.0
v4.0.1
v4.0.2
v4.0.3
v4.0.4
v4.0.5
v4.0.6
v4.0.7
v4.0.8
v4.0.9
v4.0.10
v4.0.11
v4.0.12
v4.0.13
v4.0.14
v4.0.15
v4.0.16
v4.0.17
v4.0.18
v4.0.19
v4.0.20
v4.1.0
v4.1.1
v4.1.2
v4.1.3
v4.1.4
v4.1.5
v4.1.6
v4.1.7
v4.1.8
v4.1.9
v4.1.10
v4.2.0
v4.2.1
v4.2.2
v4.2.3
v4.2.4
v4.3.0
v4.3.1
v4.4.0
v4.5.0
v4.5.1
v4.5.2
v4.5.3
v4.6.0
v4.6.1
v4.6.2
v4.6.3
v4.7.0
v4.7.1
v4.7.2
v4.7.3
v4.7.4
v4.8.0
v4.8.1
v4.8.2
v4.8.3
v4.8.4
v4.8.5
v4.9.0
v4.9.1
v4.9.2
v4.9.3
v4.9.4
v4.9.5
v4.10.0
v4.10.1
v4.10.2
v4.11.0
v4.11.1
v4.11.2
v4.11.3
v4.11.4

Database specific

source 
"https://github.com/github/advisory-database/blob/main/advisories/github-reviewed/2026/06/GHSA-3fc8-8hp6-6jr4/GHSA-3fc8-8hp6-6jr4.json"
last_known_affected_version_range 
"<= 4.11.4"

Packagist / filament/tables

Package

Name
filament/tables
Purl
pkg:composer/filament%2Ftables

Affected ranges

Type
ECOSYSTEM
Events
Introduced
4.0.0
Fixed
4.11.5

Affected versions

v4.*
v4.0.0
v4.0.1
v4.0.2
v4.0.3
v4.0.4
v4.0.5
v4.0.6
v4.0.7
v4.0.8
v4.0.9
v4.0.10
v4.0.11
v4.0.12
v4.0.13
v4.0.14
v4.0.15
v4.0.16
v4.0.17
v4.0.18
v4.0.19
v4.0.20
v4.1.0
v4.1.1
v4.1.2
v4.1.3
v4.1.4
v4.1.5
v4.1.6
v4.1.7
v4.1.8
v4.1.9
v4.1.10
v4.2.0
v4.2.1
v4.2.2
v4.2.3
v4.2.4
v4.3.0
v4.3.1
v4.4.0
v4.5.0
v4.5.1
v4.5.2
v4.5.3
v4.6.0
v4.6.1
v4.6.2
v4.6.3
v4.7.0
v4.7.1
v4.7.2
v4.7.3
v4.7.4
v4.8.0
v4.8.1
v4.8.2
v4.8.3
v4.8.4
v4.8.5
v4.9.0
v4.9.1
v4.9.2
v4.9.3
v4.9.4
v4.9.5
v4.10.0
v4.10.1
v4.10.2
v4.11.0
v4.11.1
v4.11.2
v4.11.3
v4.11.4

Database specific

source 
"https://github.com/github/advisory-database/blob/main/advisories/github-reviewed/2026/06/GHSA-3fc8-8hp6-6jr4/GHSA-3fc8-8hp6-6jr4.json"
last_known_affected_version_range 
"<= 4.11.4"

Packagist / filament/infolists

Package

Name
filament/infolists
Purl
pkg:composer/filament%2Finfolists

Affected ranges

Type
ECOSYSTEM
Events
Introduced
5.0.0
Fixed
5.6.5

Affected versions

v5.*
v5.0.0
v5.1.0
v5.1.1
v5.1.2
v5.1.3
v5.2.0
v5.2.1
v5.2.2
v5.2.3
v5.2.4
v5.3.0
v5.3.1
v5.3.2
v5.3.3
v5.3.4
v5.3.5
v5.4.0
v5.4.1
v5.4.2
v5.4.3
v5.4.4
v5.4.5
v5.5.0
v5.5.1
v5.5.2
v5.6.0
v5.6.1
v5.6.2
v5.6.3
v5.6.4

Database specific

source 
"https://github.com/github/advisory-database/blob/main/advisories/github-reviewed/2026/06/GHSA-3fc8-8hp6-6jr4/GHSA-3fc8-8hp6-6jr4.json"
last_known_affected_version_range 
"<= 5.6.4"

Packagist / filament/tables

Package

Name
filament/tables
Purl
pkg:composer/filament%2Ftables

Affected ranges

Type
ECOSYSTEM
Events
Introduced
5.0.0
Fixed
5.6.5

Affected versions

v5.*
v5.0.0
v5.1.0
v5.1.1
v5.1.2
v5.1.3
v5.2.0
v5.2.1
v5.2.2
v5.2.3
v5.2.4
v5.3.0
v5.3.1
v5.3.2
v5.3.3
v5.3.4
v5.3.5
v5.4.0
v5.4.1
v5.4.2
v5.4.3
v5.4.4
v5.4.5
v5.5.0
v5.5.1
v5.5.2
v5.6.0
v5.6.1
v5.6.2
v5.6.3
v5.6.4

Database specific

source 
"https://github.com/github/advisory-database/blob/main/advisories/github-reviewed/2026/06/GHSA-3fc8-8hp6-6jr4/GHSA-3fc8-8hp6-6jr4.json"
last_known_affected_version_range 
"<= 5.6.4"