CVE-2026-48157: CWE-79: Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting') in slimphp Slim
Slim is a PHP micro framework that enables users to write simple web applications and APIs. In versions 4.4.0 through 4.15, if an application uses HttpException::setTitle() and/or setDescription() to include untrusted/request-derived data in the error title or description (e.g. "No products found matching '{$query}'."), an attacker could inject arbitrary HTML/JavaScript that executes in the victim's browser when they encounter an HTML error page generated by Slim. The vulnerability is present even with displayErrorDetails = false as the unescaped title and description are rendered on this error path. Built-in exceptions (HttpNotFoundException, HttpBadRequestException, etc.) ship plain-text defaults, so a vanilla Slim app with no user code is not exploitable. Only applications that feed untrusted data into setTitle() and/or setDescription() are affected. The issue has been fixed in 4.15.2. If developers are unable to immediately update their applications, they can work around this issue by avoiding passing untrusted/request-derived data into HttpException::setTitle() and setDescription() and using static, plain-text error copy instead. They should also register a custom error renderer (an ErrorRendererInterface implementation, or a subclass of HtmlErrorRenderer that escapes the title and description) for the HTML media type.
AI Analysis
Technical Summary
SlimPHP is a PHP micro framework for web applications and APIs. Versions 4.4.0 through 4.15 have an XSS vulnerability (CWE-79) in the error handling mechanism. If an application uses HttpException::setTitle() or setDescription() with untrusted, request-derived data, an attacker can inject malicious HTML/JavaScript that executes in the victim's browser when an error page is rendered. This occurs even if displayErrorDetails is false, as the title and description are not escaped. Built-in exceptions use safe plain-text defaults, so only applications explicitly passing untrusted data to these methods are affected. The vulnerability is fixed in version 4.15.2. Workarounds include avoiding untrusted data in these methods and registering a custom error renderer that escapes output.
Potential Impact
An attacker can execute arbitrary HTML or JavaScript in the context of the victim's browser by injecting malicious content into error titles or descriptions if the application passes untrusted data to HttpException::setTitle() or setDescription(). This can lead to information disclosure or session hijacking. The vulnerability does not affect vanilla Slim applications that do not customize error titles or descriptions with untrusted input. There are no known exploits in the wild as of the published date.
Mitigation Recommendations
A fix is available in SlimPHP version 4.15.2. Developers should upgrade to this version to fully remediate the vulnerability. If immediate upgrading is not possible, developers should avoid passing untrusted or request-derived data into HttpException::setTitle() and setDescription(), using only static, plain-text error messages. Additionally, registering a custom error renderer that properly escapes the title and description for HTML output is recommended to prevent XSS.
CVE-2026-48157: CWE-79: Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting') in slimphp Slim
Description
Slim is a PHP micro framework that enables users to write simple web applications and APIs. In versions 4.4.0 through 4.15, if an application uses HttpException::setTitle() and/or setDescription() to include untrusted/request-derived data in the error title or description (e.g. "No products found matching '{$query}'."), an attacker could inject arbitrary HTML/JavaScript that executes in the victim's browser when they encounter an HTML error page generated by Slim. The vulnerability is present even with displayErrorDetails = false as the unescaped title and description are rendered on this error path. Built-in exceptions (HttpNotFoundException, HttpBadRequestException, etc.) ship plain-text defaults, so a vanilla Slim app with no user code is not exploitable. Only applications that feed untrusted data into setTitle() and/or setDescription() are affected. The issue has been fixed in 4.15.2. If developers are unable to immediately update their applications, they can work around this issue by avoiding passing untrusted/request-derived data into HttpException::setTitle() and setDescription() and using static, plain-text error copy instead. They should also register a custom error renderer (an ErrorRendererInterface implementation, or a subclass of HtmlErrorRenderer that escapes the title and description) for the HTML media type.
CVSS v3.1
Score 6.1medium
Affected software
Run on your own infrastructure? Check whether these packages are installed with threat-finder — our free open-source scanner.
Weaknesses
AI-Powered Analysis
Machine-generated threat intelligence
Technical Analysis
SlimPHP is a PHP micro framework for web applications and APIs. Versions 4.4.0 through 4.15 have an XSS vulnerability (CWE-79) in the error handling mechanism. If an application uses HttpException::setTitle() or setDescription() with untrusted, request-derived data, an attacker can inject malicious HTML/JavaScript that executes in the victim's browser when an error page is rendered. This occurs even if displayErrorDetails is false, as the title and description are not escaped. Built-in exceptions use safe plain-text defaults, so only applications explicitly passing untrusted data to these methods are affected. The vulnerability is fixed in version 4.15.2. Workarounds include avoiding untrusted data in these methods and registering a custom error renderer that escapes output.
Potential Impact
An attacker can execute arbitrary HTML or JavaScript in the context of the victim's browser by injecting malicious content into error titles or descriptions if the application passes untrusted data to HttpException::setTitle() or setDescription(). This can lead to information disclosure or session hijacking. The vulnerability does not affect vanilla Slim applications that do not customize error titles or descriptions with untrusted input. There are no known exploits in the wild as of the published date.
Mitigation Recommendations
A fix is available in SlimPHP version 4.15.2. Developers should upgrade to this version to fully remediate the vulnerability. If immediate upgrading is not possible, developers should avoid passing untrusted or request-derived data into HttpException::setTitle() and setDescription(), using only static, plain-text error messages. Additionally, registering a custom error renderer that properly escapes the title and description for HTML output is recommended to prevent XSS.
Technical Details
- Data Version
- 5.2
- Assigner Short Name
- GitHub_M
- Date Reserved
- 2026-05-20T23:12:43.031Z
- Cvss Version
- 3.1
- State
- PUBLISHED
- Remediation Level
- null
Threat ID: 6a30726b0b89be6888a31ad7
Added to database: 6/15/2026, 9:45:15 PM
Last enriched: 6/15/2026, 10:01:14 PM
Last updated: 6/16/2026, 4:01:55 PM
Views: 23
Community Reviews
0 reviewsCrowdsource mitigation strategies, share intel context, and vote on the most helpful responses. Sign in to add your voice and help keep defenders ahead.
Want to contribute mitigation steps or threat intel context? Sign in or create an account to join the community discussion.
Actions
Updates to AI analysis require Pro Console access. Upgrade inside Console → Billing.
Need more coverage?
Upgrade to Pro Console for AI refresh and higher limits.
For incident response and remediation, OffSeq services can help resolve threats faster.
Latest Threats
Check if your credentials are on the dark web
Instant breach scanning across billions of leaked records. Free tier available.