CVE-2026-33080 is a stored Cross-Site Scripting (XSS) vulnerability identified in the Filament PHP framework, a set of full-stack components designed to accelerate Laravel application development. The vulnerability specifically affects two Filament Table summarizers, 'Range' and 'Values', which render raw database values directly into web pages without proper HTML escaping. This improper neutralization of input (CWE-79) allows an attacker to inject malicious HTML or JavaScript code into database fields that are displayed using these summarizers. If the application does not validate or sanitize data before storing it, the malicious payload persists in the database and executes in the browsers of users who view the affected tables. The vulnerability spans Filament versions 4.0.0 through 4.8.4 and 5.0.0 through 5.3.4, with patches released in versions 4.8.5 and 5.3.5 that properly escape output to mitigate this risk. The CVSS v3.1 base score of 7.3 indicates a high-severity issue, with network attack vector, low attack complexity, requiring privileges and user interaction, and impacting confidentiality and integrity but not availability. While no active exploits have been reported, the vulnerability poses a significant risk in environments where untrusted data can be stored and displayed via these summarizers. The flaw highlights the critical need for output encoding and input validation in web applications to prevent XSS attacks that can lead to session hijacking, credential theft, or unauthorized actions performed in the context of the victim user.

The impact of CVE-2026-33080 is significant for organizations using the affected versions of the Filament PHP framework in their Laravel applications. Successful exploitation allows attackers to execute arbitrary JavaScript in the context of users viewing vulnerable tables, potentially leading to session hijacking, theft of sensitive information, unauthorized actions, and spreading malware. This compromises the confidentiality and integrity of user data and application workflows. Since the vulnerability is stored XSS, it can persist and affect multiple users over time, increasing the attack surface. Organizations with web applications that rely on Filament Table summarizers and accept user-generated or untrusted data in database columns are at risk. The vulnerability could be leveraged in targeted attacks against internal users or customers, especially in environments where users have elevated privileges or access sensitive data. Although no known exploits are currently in the wild, the ease of exploitation and the widespread use of Laravel and Filament in web development suggest a high potential for future attacks if unpatched. The vulnerability does not affect availability directly but can lead to significant operational and reputational damage.

To mitigate CVE-2026-33080, organizations should immediately upgrade Filament PHP to versions 4.8.5 or 5.3.5 or later, where the vulnerability has been patched by properly escaping HTML output in the Table summarizers. In addition to upgrading, developers should implement strict input validation and sanitization on all user-supplied data before storing it in the database to prevent malicious payloads from being saved. Employ output encoding best practices consistently across the application, especially when rendering data in HTML contexts. Conduct thorough code reviews and security testing focused on XSS risks, including automated scanning and manual penetration testing of web interfaces using Filament components. Consider implementing Content Security Policy (CSP) headers to reduce the impact of any potential XSS by restricting script execution sources. Educate developers on secure coding practices related to input handling and output encoding. Monitor application logs and user reports for suspicious activity that could indicate attempted exploitation. Finally, restrict privileges to only necessary users to reduce the risk posed by attackers needing some level of access to plant malicious data.