Advisories for Composer/Filament/Tables package

2026

Filament Unvalidated Range and Values summarizer values can be used for XSS

Two Filament Table summarizers (Range, Values) render raw database values without escaping HTML. If there is a lack of validation for the data in the columns that use these summarizers, an attacker could plant malicious HTML / JavaScript and achieve stored XSS that executes for users who view the table with those summarizers.

2024

Filament has unvalidated ColorColumn and ColorEntry values that can be used for Cross-site Scripting

If values passed to a ColorColumn or ColumnEntry are not valid and contain a specific set of characters, applications are vulnerable to XSS attack against a user who opens a page on which a color column or entry is rendered. Versions of Filament from v3.0.0 through v3.2.114 are affected. Please upgrade to Filament v3.2.115.