DEV Community

CVE Reports
CVE Reports

Posted on • Originally published at cvereports.com

CVE-2026-48500: CVE-2026-48500: Unauthenticated File Upload and Resource Exhaustion in Filament Admins

#security #cve #cybersecurity

CVE-2026-48500: Unauthenticated File Upload and Resource Exhaustion in Filament Admins

Vulnerability ID: CVE-2026-48500
CVSS Score: 6.5
Published: 2026-06-23

CVE-2026-48500 is an authorization bypass vulnerability within Filament, a full-stack Laravel administration panel suite. The flaw arises from the unauthenticated exposure of Livewire's file upload RPC endpoints on guest-facing pages, allowing remote actors to upload arbitrary files to temporary storage, potentially leading to storage exhaustion and service disruption.

TL;DR

Unauthenticated users can exploit exposed Livewire file-upload endpoints on public pages to write arbitrary files to server storage, causing potential denial-of-service conditions.

⚠️ Exploit Status: POC

Technical Details

  • CWE ID: CWE-862
  • Attack Vector: Network (AV:N)
  • CVSS v3.1 Score: 6.5
  • EPSS Score: 0.00207 (10.69th percentile)
  • Impact: Storage depletion, Denial of Service (DoS)
  • Exploit Status: PoC / Conceptual
  • CISA KEV Status: Not Listed

Affected Systems

  • Filament Admin Panels for Laravel (filament/filament)
  • filament/filament: >= 3.0.0, < 3.3.52 (Fixed in: 3.3.52)
  • filament/filament: >= 4.0.0, < 4.11.5 (Fixed in: 4.11.5)
  • filament/filament: >= 5.0.0, < 5.6.5 (Fixed in: 5.6.5)

Code Analysis

Commit: c02157e

Implement file upload restriction in Filament v3 components

Commit: f7500b1

Restrict file uploads to schema components in Filament v4 and v5

Commit: 192d9ac

Hardening lifecycle hooks and security configurations

Mitigation Strategies

  • Upgrade filament/filament dependency to patched versions
  • Implement custom web application firewalls or middleware to block upload RPCs on unauthenticated login routes
  • Ensure all custom public Livewire components enforce strict schema limits on dynamic file handling traits

Remediation Steps:

  1. Verify current Filament version via 'composer show filament/filament'
  2. Run 'composer update filament/filament' to pull down the latest patch updates
  3. Apply RestrictsFileUploadsToSchemaComponents or RestrictsFileUploadsToFormComponents to custom public-facing components

References

Read the full report for CVE-2026-48500 on our website for more details including interactive diagrams and full exploit analysis.

Top comments (0)