CVE-2026-48166
Filament: Timing-based user enumeration on login page
5.3
MEDIUM
CVSS 3.1
Description
The login page has an observable timing discrepancy that allows unauthenticated attackers to enumerate registered email addresses. The impact is limited to disclosing whether an account exists for a given email.
How to fix CVE-2026-48166
To remediate CVE-2026-48166, upgrade the affected package to a fixed version below.
- Packagist/filament/filament—upgrade to 4.11.5 or later
Is CVE-2026-48166 being exploited?
No exploitation signal available. Neither CISA KEV nor a current EPSS score has been published for CVE-2026-48166.
Affected packages (1)
- >= 4.0.0, < 4.11.5
CVSS scores
| Source | Version | Severity | Vector |
|---|---|---|---|
| osv | CVSS 3.1 | MEDIUM5.3 | CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:L/I:N/A:N |