Advisories for Composer/Filament/Infolists package

2026

Filament: Unvalidated ImageColumn and ImageEntry values can be used for XSS

The ImageColumn and ImageEntry components render raw database values without escaping HTML. Where the data passed to these components isn't validated, an attacker could plant malicious HTML or JavaScript and achieve stored XSS that executes for users who view the table or schema.

2024

Filament has unvalidated ColorColumn and ColorEntry values that can be used for Cross-site Scripting

If values passed to a ColorColumn or ColumnEntry are not valid and contain a specific set of characters, applications are vulnerable to XSS attack against a user who opens a page on which a color column or entry is rendered. Versions of Filament from v3.0.0 through v3.2.114 are affected. Please upgrade to Filament v3.2.115.