Description
Slim is a PHP micro framework that enables users to write simple web applications and APIs. In versions 4.4.0 through 4.15, if an application uses HttpException::setTitle() and/or setDescription() to include untrusted/request-derived data in the error title or description (e.g. "No products found matching '{$query}'."), an attacker could inject arbitrary HTML/JavaScript that executes in the victim's browser when they encounter an HTML error page generated by Slim. The vulnerability is present even with displayErrorDetails = false as the unescaped title and description are rendered on this error path. Built-in exceptions (HttpNotFoundException, HttpBadRequestException, etc.) ship plain-text defaults, so a vanilla Slim app with no user code is not exploitable. Only applications that feed untrusted data into setTitle() and/or setDescription() are affected. The issue has been fixed in 4.15.2. If developers are unable to immediately update their applications, they can work around this issue by avoiding passing untrusted/request-derived data into HttpException::setTitle() and setDescription() and using static, plain-text error copy instead.
They should also register a custom error renderer (an ErrorRendererInterface implementation, or a subclass of HtmlErrorRenderer that escapes the title and description) for the HTML media type.
Published: 2026-06-15
Score: 6.1 Medium
EPSS: < 1% Very Low
KEV: No
Impact: n/a
Action: n/a
AI Analysis

Impact

The vulnerability allows an attacker to inject arbitrary HTML or JavaScript into the title or description of an HTML error page generated by the Slim framework. When an application uses HttpException::setTitle() or setDescription() with untrusted or request‑derived data, the framework fails to escape that content. The injected code then executes in the victim’s browser when the error page is rendered, providing client‑side code execution and the potential to hijack sessions or deface content. This impact is confined to applications that intentionally supply untrusted data to these methods; vanilla Slim deployments that rely on the default plain‑text error messages remain secure.

Affected Systems

The flaw exists in Slim PHP framework versions 4.4.0 through 4.15. Only applications that customize the error title or description with untrusted data are affected. The issue was mitigated in release 4.15.2, which introduced proper escaping. Upgrading to 4.15.2 or later, or suspending the use of untrusted data in these methods, eliminates the risk.

Risk and Exploitability

The CVSS score of 6.1 marks the vulnerability as medium severity, while the EPSS score of < 1% indicates a low probability of real‑world exploitation at this time. The vulnerability is not listed in CISA’s KEV catalog. Based on the description, it is inferred that the attacker must deliver a crafted request that triggers the error page to achieve the reflected XSS; this exploitation requires only the web application context and does not grant additional system privileges.

Generated by OpenCVE AI on June 17, 2026 at 22:55 UTC.

Remediation

No vendor fix or workaround currently provided.

OpenCVE Recommended Actions

  • Apply patch to Slim 4.15.2 or later
  • If patch cannot be applied immediately, avoid using untrusted data in setTitle() and setDescription() and use static plain‑text error messages
  • Register a custom error renderer that escapes the title and description for HTML media type

Generated by OpenCVE AI on June 17, 2026 at 22:55 UTC.

Tracking

Sign in to view the affected projects.

Advisories
Source ID Title
Github GHSA Github GHSA GHSA-53h4-8rc4-f539 Slim has Reflected XSS in the HtmlErrorRenderer
History

Tue, 23 Jun 2026 21:30:00 +0000

Type Values Removed Values Added
First Time appeared Slimphp
Slimphp slim
Vendors & Products Slimphp
Slimphp slim

Tue, 16 Jun 2026 13:30:00 +0000

Type Values Removed Values Added
Metrics ssvc

{'options': {'Automatable': 'no', 'Exploitation': 'none', 'Technical Impact': 'partial'}, 'version': '2.0.3'}


Mon, 15 Jun 2026 21:45:00 +0000

Type Values Removed Values Added
Description Slim is a PHP micro framework that enables users to write simple web applications and APIs. In versions 4.4.0 through 4.15, if an application uses HttpException::setTitle() and/or setDescription() to include untrusted/request-derived data in the error title or description (e.g. "No products found matching '{$query}'."), an attacker could inject arbitrary HTML/JavaScript that executes in the victim's browser when they encounter an HTML error page generated by Slim. The vulnerability is present even with displayErrorDetails = false as the unescaped title and description are rendered on this error path. Built-in exceptions (HttpNotFoundException, HttpBadRequestException, etc.) ship plain-text defaults, so a vanilla Slim app with no user code is not exploitable. Only applications that feed untrusted data into setTitle() and/or setDescription() are affected. The issue has been fixed in 4.15.2. If developers are unable to immediately update their applications, they can work around this issue by avoiding passing untrusted/request-derived data into HttpException::setTitle() and setDescription() and using static, plain-text error copy instead. They should also register a custom error renderer (an ErrorRendererInterface implementation, or a subclass of HtmlErrorRenderer that escapes the title and description) for the HTML media type.
Title Slim has Reflected XSS in the HtmlErrorRenderer
Weaknesses CWE-79
References
Metrics cvssV3_1

{'score': 6.1, 'vector': 'CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:C/C:L/I:L/A:N'}


cve-icon MITRE

Status: PUBLISHED

Assigner: GitHub_M

Published:

Updated: 2026-06-16T12:21:36.311Z

Reserved: 2026-05-20T23:12:43.031Z

Link: CVE-2026-48157

cve-icon Vulnrichment

Updated: 2026-06-16T12:21:32.897Z

cve-icon NVD

Status : Deferred

Published: 2026-06-15T22:16:17.090

Modified: 2026-06-16T15:49:33.737

Link: CVE-2026-48157

cve-icon Redhat

No data.

cve-icon OpenCVE Enrichment

Updated: 2026-06-23T21:06:28Z

Weaknesses
  • CWE-79

    Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting')