Home

Description

Filament is a collection of full-stack components for accelerated Laravel development. From filament/actions 4.0.0 until 4.11.4 and 5.6.4 and from filament/tables 3.0.0 until 3.3.51, the recordSelectOptionsQuery() method may be used to scope the options available in the Select field for AttachAction and AssociateAction. However, the built-in validation rule for these fields did not apply the same scope. As a result, a user who can trigger these actions could tamper with the Livewire component's state and submit an out-of-scope value. This vulnerability is fixed in filament/actions 4.11.4 and 5.6.4 and filament/tables 3.3.51.

PUBLISHED Reserved 2026-05-20 | Published 2026-06-22 | Updated 2026-06-23 | Assigner GitHub_M




MEDIUM: 6.5CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:N/I:H/A:N

Problem types

CWE-639: Authorization Bypass Through User-Controlled Key

Product status

>= 4.0.0, < 4.11.4
affected

>= 5.0.0, < 5.6.4
affected

>= 3.0.0, < 3.3.51
affected

References

github.com/...lament/security/advisories/GHSA-7q3w-xqjw-g3cr

cve.org (CVE-2026-48067)

nvd.nist.gov (CVE-2026-48067)

Download JSON