GHSA-7q3w-xqjw-g3crMediumCVSS 6.5

Filament has inconsistent scope enforcement for its AttachAction and AssociateAction Select fields

Published
June 11, 2026
Last Modified
June 11, 2026

🔗 CVE IDs covered (1)

📋 Description

The recordSelectOptionsQuery() method may be used to scope the options available in the Select field for AttachAction and AssociateAction. However, the built-in validation rule for these fields did not apply the same scope. As a result, a user who can trigger these actions could tamper with the Livewire component's state and submit an out-of-scope value.

🎯 Affected products3

  • composer/filament/tables:>= 3.0.0, <= 3.3.50
  • composer/filament/actions:>= 4.0.0, <= 4.11.3
  • composer/filament/actions:>= 5.0.0, <= 5.6.3

🔗 References (5)