CVE-2026-48067

MEDIUM 6.5

Filament: Inconsistent scope enforcement for AttachAction and AssociateAction Select fields

CVSS Score

6.5

EPSS Score

0.0%

EPSS Percentile

0th

Filament is a collection of full-stack components for accelerated Laravel development. From filament/actions 4.0.0 until 4.11.4 and 5.6.4 and from filament/tables 3.0.0 until 3.3.51, the recordSelectOptionsQuery() method may be used to scope the options available in the Select field for AttachAction and AssociateAction. However, the built-in validation rule for these fields did not apply the same scope. As a result, a user who can trigger these actions could tamper with the Livewire component's state and submit an out-of-scope value. This vulnerability is fixed in filament/actions 4.11.4 and 5.6.4 and filament/tables 3.3.51.

CWE	CWE-639
Vendor	filamentphp
Product	filament
Published	Jun 22, 2026

Stay Ahead of the Next One

Get instant alerts for filamentphp filament

Be the first to know when new medium vulnerabilities affecting filamentphp filament are published — delivered to Slack, Telegram or Discord.

Get Free Alerts → Free · No credit card · 60 sec setup

CVSS v3 Breakdown

CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:N/I:H/A:N

Attack Vector

Network

Attack Complexity

Low

Privileges Required

Low

User Interaction

None

Scope

Unchanged

Confidentiality

None

Integrity

High

Availability

None

Affected Versions

filamentphp / filament

>= 4.0.0, < 4.11.4 >= 5.0.0, < 5.6.4 >= 3.0.0, < 3.3.51

References

NVD ↗ CVE.org ↗ EPSS Data ↗

github.com: https://github.com/filamentphp/filament/security/advisories/GHSA-7q3w-xqjw-g3cr