MEDIUM 6.1

GHSA-53h4-8rc4-f539

Slim has Reflected XSS in the HtmlErrorRenderer

Details

### Impact

If an application uses `HttpException::setTitle()` and/or `setDescription()` to include untrusted/request-derived data in the error title or description (e.g. `"No products found matching '{$query}'."`), an attacker could inject arbitrary HTML/JavaScript that executes in the victim's browser when they encounter an HTML error page generated by Slim.

The vulnerability is present even with `displayErrorDetails = false` as the unescaped title and description are rendered on this error path.

Built-in exceptions (`HttpNotFoundException`, `HttpBadRequestException`, etc.) ship plain-text defaults, so a vanilla Slim app with no user code is not exploitable. Only applications that feed untrusted data into `setTitle()` and/or `setDescription()` are affected.

### Patches

The issue is fixed in 4.15.2.

### Workarounds

Without upgrading, applications can:

- Avoid passing untrusted/request-derived data into `HttpException::setTitle()` and `setDescription()`. Use static, plain-text error copy instead. - Register a custom error renderer (an `ErrorRendererInterface` implementation, or a subclass of `HtmlErrorRenderer` that escapes the title and description) for the HTML media type.

### Acknowledgments

Slim is grateful to and thanks GitHub user [0xEr3n](https://github.com/0xEr3n) for reporting this issue.

### Resources

- CWE-79: https://cwe.mitre.org/data/definitions/79.html

Are you affected?

Enter the version of the package you're using.

Affected packages

Packagist / slim/slim

Introduced in: 4.4.0 Fixed in: 4.15.2

Fix composer require slim/slim:^4.15.2

References

https://github.com/slimphp/Slim/security/advisories/GHSA-53h4-8rc4-f539 [WEB]
https://nvd.nist.gov/vuln/detail/CVE-2026-48157 [ADVISORY]
https://github.com/slimphp/Slim [PACKAGE]
https://github.com/slimphp/Slim/releases/tag/4.15.2 [WEB]