Technologyglobal✓ verified · 90%

Filament: Disabled RichEditor field state can be used for XSS

Name: Filament: Disabled RichEditor field state can be used for XSS
Start: 2026-06-17T18:41:12Z
Location: Global (internet)

When: 2026-06-17 18:41 UTC
Where: Global (internet)
Category: cyber_advisory · composer

In Filament v3, a disabled `RichEditor` field rendered its raw state without sanitizing HTML. Where the data stored in this field's state isn't sanitized already when the form state was filled, an attacker could plant malicious HTML or JavaScript and achieve XSS that executes for users who view the form. Please note that Filament v4 and above does not use the same mechanism for rendering a disabled `RichEditor` so this advisory does not apply.

Sources

GitHub Advisory Database ↗ · first seen 2026-06-17 18:41 UTC

Defaxon links out to the original reporting and never republishes article text.

Correlated events

Computed by the Defaxon correlation engine — linked by shared actors, co-location, and temporal proximity. Scored hypotheses, never causal claims.

No correlated events found in the current window. As more events arrive, connections form automatically.

← Back to the live map