PT-2026-50597 · Packagist · Filament/Forms
Published
2026-06-17
·
Updated
2026-06-17
·
CVE-2026-55409
CVSS v3.1
7.6
High
| Vector | AV:N/AC:L/PR:L/UI:R/S:C/C:H/I:L/A:N |
In Filament v3, a disabled
RichEditor field rendered its raw state without sanitizing HTML. Where the data stored in this field's state isn't sanitized already when the form state was filled, an attacker could plant malicious HTML or JavaScript and achieve XSS that executes for users who view the form.Please note that Filament v4 and above does not use the same mechanism for rendering a disabled
RichEditor so this advisory does not apply.Fix
XSS
Found an issue in the description? Have something to add? Feel free to write us 👾
Weakness Enumeration
Related Identifiers
Affected Products
Filament/Forms