CVE-2026-48500

MEDIUM 6.5

Filament: Unauthenticated temporary file upload on auth pages

CVSS Score

6.5

EPSS Score

0.0%

EPSS Percentile

0th

Filament is a collection of full-stack components for accelerated Laravel development. From 3.0.0 until 3.3.52, 4.11.5, and 5.6.5, any schema can contain a file upload form field, so Filament applies Livewire's WithFileUploads trait to the Livewire component the schema is embedded in. However, some schemas, such as the panel login form, do not require file uploads, and exposing unauthenticated temporary file uploads on these components is not an acceptable risk. On these components, an unauthenticated attacker could upload arbitrary files to the application's temporary storage, which could be abused to exhaust disk space or inflate storage costs. This vulnerability is fixed in 3.3.52, 4.11.5, and 5.6.5.

CWE	CWE-862
Vendor	filamentphp
Product	filament
Published	Jun 22, 2026

Stay Ahead of the Next One

Get instant alerts for filamentphp filament

Be the first to know when new medium vulnerabilities affecting filamentphp filament are published — delivered to Slack, Telegram or Discord.

Get Free Alerts → Free · No credit card · 60 sec setup

CVSS v3 Breakdown

CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:L/A:L

Attack Vector

Network

Attack Complexity

Low

Privileges Required

None

User Interaction

None

Scope

Unchanged

Confidentiality

None

Integrity

Low

Availability

Low

Affected Versions

filamentphp / filament

>= 3.0.0, < 3.3.52 >= 5.0.0, < 5.6.5 >= 4.0.0, < 4.11.5

References

NVD ↗ CVE.org ↗ EPSS Data ↗

github.com: https://github.com/filamentphp/filament/security/advisories/GHSA-44wp-g8f4-f4v5