CVE-2026-48157
Received Received - Intake
BaseFortify

Publication date: 2026-06-15

Last updated on: 2026-06-15

Assigner: GitHub, Inc.

Description
Slim is a PHP micro framework that enables users to write simple web applications and APIs. In versions 4.4.0 through 4.15, if an application uses HttpException::setTitle() and/or setDescription() to include untrusted/request-derived data in the error title or description (e.g. "No products found matching '{$query}'."), an attacker could inject arbitrary HTML/JavaScript that executes in the victim's browser when they encounter an HTML error page generated by Slim. The vulnerability is present even with displayErrorDetails = false as the unescaped title and description are rendered on this error path. Built-in exceptions (HttpNotFoundException, HttpBadRequestException, etc.) ship plain-text defaults, so a vanilla Slim app with no user code is not exploitable. Only applications that feed untrusted data into setTitle() and/or setDescription() are affected. The issue has been fixed in 4.15.2. If developers are unable to immediately update their applications, they can work around this issue by avoiding passing untrusted/request-derived data into HttpException::setTitle() and setDescription() and using static, plain-text error copy instead. They should also register a custom error renderer (an ErrorRendererInterface implementation, or a subclass of HtmlErrorRenderer that escapes the title and description) for the HTML media type.
CVSS Scores
EPSS Scores
Probability:
Percentile:
Meta Information
Published
2026-06-15
Last Modified
2026-06-15
Generated
2026-06-16
AI Q&A
2026-06-16
EPSS Evaluated
N/A
NVD
CVE-2026-48157
Affected Vendors & Products
Showing 2 associated CPEs
Vendor Product Version / Range
slim slim From 4.4.0 (inc) to 4.15 (inc)
slim slim 4.15.2
Helpful Resources
Exploitability
CWE
CWE Icon
KEV
KEV Icon
CWE ID Description
CWE-79 The product does not neutralize or incorrectly neutralizes user-controllable input before it is placed in output that is used as a web page that is served to other users.
Attack-Flow Graph
AI Quick Actions
Instant insights powered by AI
Executive Summary

This vulnerability exists in the Slim PHP micro framework versions 4.4.0 through 4.15. It occurs when an application uses the HttpException::setTitle() and/or setDescription() methods to include untrusted or request-derived data in the error title or description. An attacker can inject arbitrary HTML or JavaScript code that will execute in the victim's browser when they view an HTML error page generated by Slim.

The vulnerability is present even if the displayErrorDetails setting is false because the unescaped title and description are rendered on the error page. Built-in exceptions use plain-text defaults, so only applications that explicitly pass untrusted data into these methods are affected. The issue was fixed in version 4.15.2.

Developers can mitigate the issue by avoiding passing untrusted data into setTitle() and setDescription(), using static plain-text error messages, or by registering a custom error renderer that properly escapes the title and description.

Impact Analysis

This vulnerability can lead to cross-site scripting (XSS) attacks, where an attacker injects malicious HTML or JavaScript into error pages viewed by users. This can result in the execution of arbitrary scripts in the victim's browser.

  • Compromise of user data through theft of cookies or session tokens.
  • Execution of malicious actions on behalf of the user.
  • Potential defacement or manipulation of the web application's error pages.
  • Loss of user trust and damage to the application's reputation.
Detection Guidance

This vulnerability occurs when an application using the Slim PHP framework passes untrusted or request-derived data into HttpException::setTitle() and/or setDescription(), which then gets rendered unescaped in HTML error pages.

To detect this vulnerability on your system, you should review your application code to identify any usage of HttpException::setTitle() or setDescription() methods that include untrusted input.

Since the vulnerability manifests in HTML error pages, you can also test by triggering error conditions that cause these exceptions and inspecting the resulting error page for unescaped HTML or JavaScript.

There are no specific network or system commands provided to detect this vulnerability automatically.

Mitigation Strategies

The vulnerability has been fixed in Slim version 4.15.2, so the primary mitigation step is to update your Slim framework to version 4.15.2 or later.

If immediate updating is not possible, you should avoid passing untrusted or request-derived data into HttpException::setTitle() and setDescription(). Instead, use static, plain-text error messages.

Additionally, register a custom error renderer that escapes the title and description for HTML error pages. This can be done by implementing the ErrorRendererInterface or subclassing HtmlErrorRenderer with proper escaping.

Chat Assistant
Ask questions about this CVE
Hi! I’m here to help you understand CVE-2026-48157. Ask me anything about the vulnerability, its impact, or mitigation strategies.
0/70
EPSS Chart