Goal Reached Thanks to every supporter — we hit 100%!

Goal: 1000 CNY · Raised: 1336 CNY

100%

CVE-2026-48166— Filament: Timing-based user enumeration on login page

CVSS 5.3 · Medium EPSS 0.21% · P11

Affected Version Matrix 2

VendorProductVersion RangeStatus
filamentphpfilament>= 4.0.0, < 4.11.5affected
>= 5.0.0, < 5.6.5affected
Get alerts for future matching vulnerabilitiesLog in to subscribe

I. Basic Information for CVE-2026-48166

Vulnerability Information

Have questions about the vulnerability? See if Shenlong's analysis helps!
View Shenlong Deep Dive ↗

Although we use advanced large model technology, its output may still contain inaccurate or outdated information.Shenlong tries to ensure data accuracy, but please verify and judge based on the actual situation.

Vulnerability Title
Filament: Timing-based user enumeration on login page
Source: NVD (National Vulnerability Database)
Vulnerability Description
Filament is a collection of full-stack components for accelerated Laravel development. From 4.0.0 until 4.11.5 and 5.6.5, the login page has an observable timing discrepancy that allows unauthenticated attackers to enumerate registered email addresses. The impact is limited to disclosing whether an account exists for a given email. This vulnerability is fixed in 4.11.5 and 5.6.5.
Source: NVD (National Vulnerability Database)
CVSS Information
CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:L/I:N/A:N
Source: NVD (National Vulnerability Database)
Vulnerability Type
通过时间差异性导致的信息暴露
Source: NVD (National Vulnerability Database)
Vulnerability Title
filamentphp filament 信息泄露漏洞
Source: CNNVD (China National Vulnerability Database)
Vulnerability Description
filamentphp filament是filamentphp团队开源的一套Laravel后台管理面板。 filamentphp filament 4.0.0版本至4.11.5之前版本和5.0.0版本至5.6.5之前版本存在信息泄露漏洞,该漏洞源于登录页面存在可观察的时间差异,可能导致未经身份验证的攻击者枚举已注册的电子邮件地址。
Source: CNNVD (China National Vulnerability Database)
CVSS Information
N/A
Source: CNNVD (China National Vulnerability Database)
Vulnerability Type
N/A
Source: CNNVD (China National Vulnerability Database)

Affected Products

VendorProductAffected VersionsCPESubscribe
filamentphpfilament >= 4.0.0, < 4.11.5 -

II. Public POCs for CVE-2026-48166

#POC DescriptionSource LinkShenlong Link
AI-Generated POCPremium

No public POC found.

Login to generate AI POC

III. Intelligence Information for CVE-2026-48166

登录查看更多情报信息。

Vendor Advisories for CVE-2026-48166 (1)

Same Patch Batch · filamentphp · 2026-06-22 · 6 CVEs total

CVE-2026-554097.6 HIGHFilament: Disabled RichEditor field state can be used for XSS
CVE-2026-485057.4 HIGHFilament: Multi-factor authentication (app) recovery codes can still be used multiple time
CVE-2026-485006.5 MEDIUMFilament: Unauthenticated temporary file upload on auth pages
CVE-2026-480676.5 MEDIUMFilament: Inconsistent scope enforcement for AttachAction and AssociateAction Select field
CVE-2026-481676.4 MEDIUMFilament: Unvalidated ImageColumn and ImageEntry values can be used for XSS

IV. Related Vulnerabilities

V. Comments for CVE-2026-48166

No comments yet


Leave a comment