{"api_version":"1","generated_at":"2026-06-23T19:10:51+00:00","cve":"CVE-2026-48166","urls":{"html":"https://cve.report/CVE-2026-48166","api":"https://cve.report/api/cve/CVE-2026-48166.json","docs":"https://cve.report/api","cve_org":"https://www.cve.org/CVERecord?id=CVE-2026-48166","nvd":"https://nvd.nist.gov/vuln/detail/CVE-2026-48166"},"summary":{"title":"Filament: Timing-based user enumeration on login page","description":"Filament is a collection of full-stack components for accelerated Laravel development. From 4.0.0 until 4.11.5 and 5.6.5, the login page has an observable timing discrepancy that allows unauthenticated attackers to enumerate registered email addresses. The impact is limited to disclosing whether an account exists for a given email. This vulnerability is fixed in 4.11.5 and 5.6.5.","state":"PUBLISHED","assigner":"GitHub_M","published_at":"2026-06-22 22:16:46","updated_at":"2026-06-23 15:03:56"},"problem_types":["CWE-208","CWE-208 CWE-208: Observable Timing Discrepancy"],"metrics":[{"version":"3.1","source":"security-advisories@github.com","type":"Secondary","score":"5.3","severity":"MEDIUM","vector":"CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:L/I:N/A:N","data":{"version":"3.1","vectorString":"CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:L/I:N/A:N","baseScore":5.3,"baseSeverity":"MEDIUM","attackVector":"NETWORK","attackComplexity":"LOW","privilegesRequired":"NONE","userInteraction":"NONE","scope":"UNCHANGED","confidentialityImpact":"LOW","integrityImpact":"NONE","availabilityImpact":"NONE"}},{"version":"3.1","source":"CNA","type":"DECLARED","score":"5.3","severity":"MEDIUM","vector":"CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:L/I:N/A:N","data":{"attackComplexity":"LOW","attackVector":"NETWORK","availabilityImpact":"NONE","baseScore":5.3,"baseSeverity":"MEDIUM","confidentialityImpact":"LOW","integrityImpact":"NONE","privilegesRequired":"NONE","scope":"UNCHANGED","userInteraction":"NONE","vectorString":"CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:L/I:N/A:N","version":"3.1"}}],"references":[{"url":"https://github.com/filamentphp/filament/security/advisories/GHSA-5w46-g9pq-wh6f","name":"https://github.com/filamentphp/filament/security/advisories/GHSA-5w46-g9pq-wh6f","refsource":"security-advisories@github.com","tags":[],"title":"","mime":"","httpstatus":"","archivestatus":"0"},{"url":"https://www.cve.org/CVERecord?id=CVE-2026-48166","name":"CVE Program record","refsource":"CVE.ORG","tags":["canonical"]},{"url":"https://nvd.nist.gov/vuln/detail/CVE-2026-48166","name":"NVD vulnerability detail","refsource":"NVD","tags":["canonical","analysis"]}],"affected":[{"source":"CNA","vendor":"filamentphp","product":"filament","version":"affected >= 4.0.0, < 4.11.5","platforms":[]},{"source":"CNA","vendor":"filamentphp","product":"filament","version":"affected >= 5.0.0, < 5.6.5","platforms":[]}],"timeline":[],"solutions":[],"workarounds":[],"exploits":[],"credits":[],"nvd_cpes":[],"vendor_comments":[],"enrichments":{"kev":null,"epss":null,"legacy_qids":[]},"source_records":{"cve_program":{"containers":{"adp":[{"metrics":[{"other":{"content":{"id":"CVE-2026-48166","options":[{"Exploitation":"none"},{"Automatable":"yes"},{"Technical Impact":"partial"}],"role":"CISA Coordinator","timestamp":"2026-06-23T12:28:19.870932Z","version":"2.0.3"},"type":"ssvc"}}],"providerMetadata":{"dateUpdated":"2026-06-23T12:29:33.902Z","orgId":"134c704f-9b21-4f2e-91b3-4a467353bcc0","shortName":"CISA-ADP"},"title":"CISA ADP Vulnrichment"}],"cna":{"affected":[{"product":"filament","vendor":"filamentphp","versions":[{"status":"affected","version":">= 4.0.0, < 4.11.5"},{"status":"affected","version":">= 5.0.0, < 5.6.5"}]}],"descriptions":[{"lang":"en","value":"Filament is a collection of full-stack components for accelerated Laravel development. From 4.0.0 until 4.11.5 and 5.6.5, the login page has an observable timing discrepancy that allows unauthenticated attackers to enumerate registered email addresses. The impact is limited to disclosing whether an account exists for a given email. This vulnerability is fixed in 4.11.5 and 5.6.5."}],"metrics":[{"cvssV3_1":{"attackComplexity":"LOW","attackVector":"NETWORK","availabilityImpact":"NONE","baseScore":5.3,"baseSeverity":"MEDIUM","confidentialityImpact":"LOW","integrityImpact":"NONE","privilegesRequired":"NONE","scope":"UNCHANGED","userInteraction":"NONE","vectorString":"CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:L/I:N/A:N","version":"3.1"}}],"problemTypes":[{"descriptions":[{"cweId":"CWE-208","description":"CWE-208: Observable Timing Discrepancy","lang":"en","type":"CWE"}]}],"providerMetadata":{"dateUpdated":"2026-06-22T21:42:37.340Z","orgId":"a0819718-46f1-4df5-94e2-005712e83aaa","shortName":"GitHub_M"},"references":[{"name":"https://github.com/filamentphp/filament/security/advisories/GHSA-5w46-g9pq-wh6f","tags":["x_refsource_CONFIRM"],"url":"https://github.com/filamentphp/filament/security/advisories/GHSA-5w46-g9pq-wh6f"}],"source":{"advisory":"GHSA-5w46-g9pq-wh6f","discovery":"UNKNOWN"},"title":"Filament: Timing-based user enumeration on login page"}},"cveMetadata":{"assignerOrgId":"a0819718-46f1-4df5-94e2-005712e83aaa","assignerShortName":"GitHub_M","cveId":"CVE-2026-48166","datePublished":"2026-06-22T21:40:01.897Z","dateReserved":"2026-05-20T23:12:43.032Z","dateUpdated":"2026-06-23T12:29:33.902Z","state":"PUBLISHED"},"dataType":"CVE_RECORD","dataVersion":"5.2"},"nvd":{"publishedDate":"2026-06-22 22:16:46","lastModifiedDate":"2026-06-23 15:03:56","problem_types":["CWE-208","CWE-208 CWE-208: Observable Timing Discrepancy"],"metrics":{"cvssMetricV31":[{"source":"security-advisories@github.com","type":"Secondary","cvssData":{"version":"3.1","vectorString":"CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:L/I:N/A:N","baseScore":5.3,"baseSeverity":"MEDIUM","attackVector":"NETWORK","attackComplexity":"LOW","privilegesRequired":"NONE","userInteraction":"NONE","scope":"UNCHANGED","confidentialityImpact":"LOW","integrityImpact":"NONE","availabilityImpact":"NONE"},"exploitabilityScore":3.9,"impactScore":1.4}],"ssvcV203":[{"source":"134c704f-9b21-4f2e-91b3-4a467353bcc0","ssvcData":{"timestamp":"2026-06-23T12:28:19.870932Z","id":"CVE-2026-48166","options":[{"exploitation":"none"},{"automatable":"yes"},{"technicalImpact":"partial"}],"role":"CISA Coordinator","version":"2.0.3"}}]},"configurations":[]},"legacy_mitre":{"record":{"CveYear":"2026","CveId":"48166","Ordinal":"1","Title":"Filament: Timing-based user enumeration on login page","CVE":"CVE-2026-48166","Year":"2026"},"notes":[{"CveYear":"2026","CveId":"48166","Ordinal":"1","NoteData":"Filament is a collection of full-stack components for accelerated Laravel development. From 4.0.0 until 4.11.5 and 5.6.5, the login page has an observable timing discrepancy that allows unauthenticated attackers to enumerate registered email addresses. The impact is limited to disclosing whether an account exists for a given email. This vulnerability is fixed in 4.11.5 and 5.6.5.","Type":"Description","Title":"Filament: Timing-based user enumeration on login page"}]}}}