Security Advisory: Reflected XSS vulnerability in Slim >= 4.4.0, <= 4.15.1 (CVE-2026-48157)
A security issue has recently been reported in Slim’s HTML error renderer that could allow reflected cross-site scripting (XSS) attacks in applications that feed untrusted data into HttpException::setTitle() and/or setDescription().
Impact
If an application uses HttpException::setTitle() and/or setDescription() to include untrusted/request-derived data in the error title or description (e.g. "No products found matching '{$query}'."), an attacker could inject arbitrary HTML/JavaScript that executes in the victim’s browser when they encounter an HTML error page generated by Slim.
The vulnerability is present even with displayErrorDetails = false as the unescaped title and description are rendered on this error path.
Built-in exceptions (HttpNotFoundException, HttpBadRequestException, etc.) ship plain-text defaults, so a vanilla Slim app with no user code is not exploitable. Only applications that feed untrusted data into setTitle() and/or setDescription() are affected.
Severity: Medium — CVSS 6.1 (CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:C/C:L/I:L/A:N)
Affected versions
All versions from 4.4.0 to 4.15.1 inclusive are affected.
Patches
The issue is fixed in 4.15.2.
Workarounds
Without upgrading, applications can either:
- Avoid passing untrusted/request-derived data into
HttpException::setTitle()andsetDescription(). Use static, plain-text error copy instead. - Register a custom error renderer (an
ErrorRendererInterfaceimplementation, or a subclass ofHtmlErrorRendererthat escapes the title and description) for the HTML media type.
Acknowledgments
We are grateful to and thank GitHub user 0xEr3n for reporting this issue to us.