CVE-2026-33080 is a stored Cross-Site Scripting (XSS) vulnerability identified in the Filament PHP framework, a set of full-stack components designed to accelerate Laravel application development. The flaw exists in versions 4.0.0 through 4.8.4 and 5.0.0 through 5.3.4, specifically within two Filament Table summarizers named Range and Values. These summarizers render raw database values directly into web pages without escaping or sanitizing HTML content. Consequently, if the data stored in the database columns used by these summarizers is not properly validated or sanitized, an attacker with the ability to insert malicious HTML or JavaScript code into these fields can cause that code to be stored persistently. When legitimate users view the tables containing these summarizers, the malicious script executes in their browsers, leading to stored XSS. This can allow attackers to hijack user sessions, steal sensitive information, or perform actions on behalf of the user within the application context. The vulnerability requires the attacker to have some level of write access to the database fields in question and relies on user interaction to trigger the malicious payload. The issue has been addressed in Filament versions 4.8.5 and 5.3.5 by properly escaping or sanitizing the output of these summarizers to prevent injection of executable code. The CVSS v3.1 base score is 7.3, reflecting high severity due to the potential impact on confidentiality and integrity, ease of exploitation with low attack complexity, and the requirement for privileges and user interaction.

The primary impact of this vulnerability is the compromise of user confidentiality and integrity within applications using vulnerable Filament versions. Successful exploitation can lead to session hijacking, theft of sensitive data such as authentication tokens or personal information, and unauthorized actions performed in the context of the victim user. This can result in account takeover, data leakage, and erosion of user trust. Since the vulnerability is stored XSS, the malicious payload persists in the application database, affecting all users who view the compromised tables. Although availability is not directly impacted, the reputational damage and potential regulatory consequences from data breaches can be significant. Organizations relying on Filament for Laravel development, especially those exposing administrative or user-facing tables with summarizers, face increased risk. Attackers with limited privileges can leverage this vulnerability to escalate their impact. The lack of known exploits in the wild currently reduces immediate risk but does not eliminate the threat, especially as the vulnerability is publicly disclosed.

To mitigate this vulnerability, organizations should immediately upgrade Filament to versions 4.8.5 or 5.3.5 or later, where the issue is patched. In addition to upgrading, developers should implement strict input validation and sanitization on all data fields that feed into the Range and Values summarizers to prevent injection of malicious content. Employing a Content Security Policy (CSP) can help reduce the impact of any residual XSS by restricting script execution sources. Regular code reviews and security testing focusing on output encoding and input validation are recommended to detect similar issues early. For legacy systems where immediate upgrade is not feasible, consider disabling or restricting access to the vulnerable summarizers or filtering out HTML tags from database inputs. Monitoring application logs and user reports for suspicious activity can help detect exploitation attempts. Educating developers on secure coding practices related to output encoding and sanitization in web applications is also critical to prevent recurrence.