CVE-2026-48067 filamentphp CVE debrief

Who should care

Developers and administrators using Filament for Laravel development should be aware of this vulnerability and take immediate action to update their dependencies to the patched versions. This vulnerability has a CVSS score of 6.5 and a severity of MEDIUM, indicating a moderate level of risk.

Technical summary

The vulnerability arises from the recordSelectOptionsQuery() method in filament/actions and filament/tables, which allows scoping of options for the Select field in AttachAction and AssociateAction. However, the built-in validation rule for these fields does not apply the same scope, enabling an attacker to submit an out-of-scope value. The issue is addressed in filament/actions versions 4.11.4 and 5.6.4, and filament/tables version 3.3.51.

Defensive priority

Apply updates to filament/actions and filament/tables to the patched versions as soon as possible. Review and monitor your application's usage of AttachAction and AssociateAction to detect potential exploitation attempts.

Recommended defensive actions

• Update filament/actions to version 4.11.4 or later
• Update filament/actions to version 5.6.4 or later
• Update filament/tables to version 3.3.51 or later
• Review application code for custom usage of recordSelectOptionsQuery() method
• Monitor application logs for suspicious activity related to AttachAction and AssociateAction

Evidence notes

The CVE record and NVD detail provide official information about the vulnerability. The source item URL provides additional context from the NVD database. The reference to the GitHub security advisory offers further details on the vulnerability and its fix.

Official resources