CVE-2026-48157
Deferred Deferred - Pending Action

Stored XSS in Slim PHP Framework Error Pages

Vulnerability report for CVE-2026-48157, including description, CVSS score, EPSS score, affected products, exploitability, helpful resources, and attack-flow context.

Publication date: 2026-06-15

Last updated on: 2026-06-15

Assigner: GitHub, Inc.

Description

Slim is a PHP micro framework that enables users to write simple web applications and APIs. In versions 4.4.0 through 4.15, if an application uses HttpException::setTitle() and/or setDescription() to include untrusted/request-derived data in the error title or description (e.g. "No products found matching '{$query}'."), an attacker could inject arbitrary HTML/JavaScript that executes in the victim's browser when they encounter an HTML error page generated by Slim. The vulnerability is present even with displayErrorDetails = false as the unescaped title and description are rendered on this error path. Built-in exceptions (HttpNotFoundException, HttpBadRequestException, etc.) ship plain-text defaults, so a vanilla Slim app with no user code is not exploitable. Only applications that feed untrusted data into setTitle() and/or setDescription() are affected. The issue has been fixed in 4.15.2. If developers are unable to immediately update their applications, they can work around this issue by avoiding passing untrusted/request-derived data into HttpException::setTitle() and setDescription() and using static, plain-text error copy instead. They should also register a custom error renderer (an ErrorRendererInterface implementation, or a subclass of HtmlErrorRenderer that escapes the title and description) for the HTML media type.

CVSS Scores

EPSS Scores

Probability:
Percentile:

Meta Information

Published
2026-06-15
Last Modified
2026-06-15
Generated
2026-07-06
AI Q&A
2026-06-16
EPSS Evaluated
2026-07-04
NVD

Affected Vendors & Products

Showing 2 associated CPEs
Vendor Product Version / Range
slim slim From 4.4.0 (inc) to 4.15 (inc)
slim slim 4.15.2

Helpful Resources

Exploitability

CWE
CWE Icon
KEV
KEV Icon
CWE ID Description
CWE-79 The product does not neutralize or incorrectly neutralizes user-controllable input before it is placed in output that is used as a web page that is served to other users.

Attack-Flow Graph

AI Quick Actions

Instant insights powered by AI
Compliance Impact

This vulnerability allows an attacker to inject arbitrary HTML or JavaScript into error pages, which could lead to cross-site scripting (XSS) attacks when untrusted data is included in error titles or descriptions.

Such XSS vulnerabilities can potentially lead to unauthorized access to sensitive user data or session information, which may impact compliance with data protection regulations like GDPR or HIPAA that require safeguarding personal and sensitive information.

However, the vulnerability only affects applications that explicitly use untrusted/request-derived data in error messages via HttpException::setTitle() or setDescription(), and it has been fixed in version 4.15.2.

Developers are advised to avoid passing untrusted data into these methods or implement proper escaping to mitigate the risk.

Executive Summary

This vulnerability exists in the Slim PHP micro framework versions 4.4.0 through 4.15. It occurs when an application uses the HttpException::setTitle() and/or setDescription() methods to include untrusted or request-derived data in the error title or description. An attacker can inject arbitrary HTML or JavaScript code that will execute in the victim's browser when they view an HTML error page generated by Slim.

The vulnerability is present even if the displayErrorDetails setting is false because the unescaped title and description are rendered on the error page. Built-in exceptions use plain-text defaults, so only applications that explicitly pass untrusted data into these methods are affected. The issue was fixed in version 4.15.2.

Developers can mitigate the issue by avoiding passing untrusted data into setTitle() and setDescription(), using static plain-text error messages, or by registering a custom error renderer that properly escapes the title and description.

Impact Analysis

This vulnerability can lead to cross-site scripting (XSS) attacks, where an attacker injects malicious HTML or JavaScript into error pages viewed by users. This can result in the execution of arbitrary scripts in the victim's browser.

  • Compromise of user data through theft of cookies or session tokens.
  • Execution of malicious actions on behalf of the user.
  • Potential defacement or manipulation of the web application's error pages.
  • Loss of user trust and damage to the application's reputation.
Detection Guidance

This vulnerability occurs when an application using the Slim PHP framework passes untrusted or request-derived data into HttpException::setTitle() and/or setDescription(), which then gets rendered unescaped in HTML error pages.

To detect this vulnerability on your system, you should review your application code to identify any usage of HttpException::setTitle() or setDescription() methods that include untrusted input.

Since the vulnerability manifests in HTML error pages, you can also test by triggering error conditions that cause these exceptions and inspecting the resulting error page for unescaped HTML or JavaScript.

There are no specific network or system commands provided to detect this vulnerability automatically.

Mitigation Strategies

The vulnerability has been fixed in Slim version 4.15.2, so the primary mitigation step is to update your Slim framework to version 4.15.2 or later.

If immediate updating is not possible, you should avoid passing untrusted or request-derived data into HttpException::setTitle() and setDescription(). Instead, use static, plain-text error messages.

Additionally, register a custom error renderer that escapes the title and description for HTML error pages. This can be done by implementing the ErrorRendererInterface or subclassing HtmlErrorRenderer with proper escaping.

Chat Assistant

Ask questions about this CVE
Hi! I’m here to help you understand CVE-2026-48157. Ask me anything about the vulnerability, its impact, or mitigation strategies.
0/70

EPSS Chart