CVE-2026-55409 — Filament: Disabled RichEditor field state can be used for XSS

Description

In Filament v3, a disabled `RichEditor` field rendered its raw state without sanitizing HTML. Where the data stored in this field's state isn't sanitized already when the form state was filled, an attacker could plant malicious HTML or JavaScript and achieve XSS that executes for users who view the form. Please note that Filament v4 and above does not use the same mechanism for rendering a disabled `RichEditor` so this advisory does not apply.

How to fix CVE-2026-55409

To remediate CVE-2026-55409, upgrade the affected package to a fixed version below.

—upgrade to 3.3.53 or later

Is CVE-2026-55409 being exploited?

No exploitation signal available. Neither CISA KEV nor a current EPSS score has been published for CVE-2026-55409.

Affected packages (1)

>= 3.0.0, < 3.3.53

CVSS scores

Source	Version	Severity	Vector
osv	CVSS 3.1	HIGH7.6	CVSS:3.1/AV:N/AC:L/PR:L/UI:R/S:C/C:H/I:L/A:N

References (4)

PATCHgithub.com/filamentphp/filament
WEBgithub.com/filamentphp/filament/pull/20029
WEBgithub.com/filamentphp/filament/releases/tag/v3.3.53
WEBgithub.com/filamentphp/filament/security/advisories/GHSA-m9cv-24rx-8mv7