Skip to main content

Slim PHP Framework CVE-2026-48157

| EUVDEUVD-2026-37008 MEDIUM
Cross-site Scripting (XSS) (CWE-79)
2026-06-15 GitHub_M GHSA-53h4-8rc4-f539
6.1
CVSS 3.1 · Vendor: GitHub_M
Share

Severity by source

Vendor (GitHub_M) PRIMARY
6.1 MEDIUM
AV:N/AC:L/PR:N/UI:R/S:C/C:L/I:L/A:N
vuln.today AI
6.1 MEDIUM

Network-reachable XSS requiring victim browser interaction; PR:N as attacker needs no credentials; S:C for browser-context escape; C/I:L for limited session/content impact.

3.1 AV:N/AC:L/PR:N/UI:R/S:C/C:L/I:L/A:N
4.0 AV:N/AC:L/AT:N/PR:N/UI:A/VC:N/VI:N/VA:N/SC:L/SI:L/SA:N

Primary rating from Vendor (GitHub_M).

CVSS VectorVendor: GitHub_M

CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:C/C:L/I:L/A:N
Attack Vector
Network
Attack Complexity
Low
Privileges Required
None
User Interaction
Required
Scope
Changed
Confidentiality
Low
Integrity
Low
Availability
None

Lifecycle Timeline

3
Source Code Evidence Fetched
Jun 15, 2026 - 23:20 vuln.today
Analysis Generated
Jun 15, 2026 - 23:20 vuln.today
Patch available
Jun 15, 2026 - 23:02 EUVD

DescriptionCVE.org

Slim is a PHP micro framework that enables users to write simple web applications and APIs. In versions 4.4.0 through 4.15, if an application uses HttpException::setTitle() and/or setDescription() to include untrusted/request-derived data in the error title or description (e.g. "No products found matching '{$query}'."), an attacker could inject arbitrary HTML/JavaScript that executes in the victim's browser when they encounter an HTML error page generated by Slim. The vulnerability is present even with displayErrorDetails = false as the unescaped title and description are rendered on this error path. Built-in exceptions (HttpNotFoundException, HttpBadRequestException, etc.) ship plain-text defaults, so a vanilla Slim app with no user code is not exploitable. Only applications that feed untrusted data into setTitle() and/or setDescription() are affected. The issue has been fixed in 4.15.2. If developers are unable to immediately update their applications, they can work around this issue by avoiding passing untrusted/request-derived data into HttpException::setTitle() and setDescription() and using static, plain-text error copy instead. They should also register a custom error renderer (an ErrorRendererInterface implementation, or a subclass of HtmlErrorRenderer that escapes the title and description) for the HTML media type.

AnalysisAI

Reflected XSS in Slim PHP framework (versions 4.4.0 through 4.15.1) allows attackers to inject arbitrary HTML and JavaScript into HTML error pages when application code passes request-derived data into HttpException::setTitle() or setDescription(). The payload executes in a victim's browser upon rendering the crafted error page, and critically this occurs even when displayErrorDetails is set to false, since the unescaped values are rendered on a separate code path. No public exploit code or CISA KEV listing has been identified; exploitation is scoped to applications that explicitly feed untrusted input into these specific exception setter methods.

Technical ContextAI

Slim's HtmlErrorRenderer constructs and returns HTML error pages using the title and description properties of HttpException, set via setTitle() and setDescription(). Prior to 4.15.2, these values were interpolated directly into HTML output without HTML entity escaping, constituting CWE-79 (Improper Neutralization of Input During Web Page Generation). The fix, confirmed by the 4.15.2 release notes (GHSA-53h4-8rc4-f539), applies HTML entity escaping within HtmlErrorRenderer. The vulnerability is not present in built-in exception subclasses (HttpNotFoundException, HttpBadRequestException, etc.) because those ship with static plain-text defaults - only developer-added code that calls the setters with dynamic, request-derived values creates the exploitable condition. CPE cpe:2.3:a:slimphp:slim:*:*:*:*:*:*:*:* covers the affected product family.

RemediationAI

Upgrade to Slim 4.15.2, which applies HTML entity escaping in HtmlErrorRenderer to prevent XSS (confirmed by release notes at https://github.com/slimphp/Slim/releases/tag/4.15.2 and advisory GHSA-53h4-8rc4-f539). If an immediate upgrade is not feasible, audit all calls to HttpException::setTitle() and setDescription() and replace any request-derived values with static, plain-text strings - this eliminates the injection point without a code update. As an additional defensive layer, register a custom error renderer implementing ErrorRendererInterface (or subclass HtmlErrorRenderer with explicit htmlspecialchars() escaping applied to title and description) for the HTML media type in Slim's container configuration. Note that the workarounds require code changes and code review; neither is a drop-in configuration toggle.

More in PHP

View all
CVE-2012-1823 CRITICAL POC
9.8 May 11

sapi/cgi/cgi_main.c in PHP before 5.3.12 and 5.4.x before 5.4.2, when configured as a CGI script (aka php-cgi), does not

CVE-2016-1555 CRITICAL POC
9.8 Apr 21

(1) boardData102.php, (2) boardData103.php, (3) boardDataJP.php, (4) boardDataNA.php, and (5) boardDataWW.php in Netgear

CVE-2024-11680 CRITICAL POC
9.8 Nov 26

ProjectSend versions prior to r1720 are affected by an improper authentication vulnerability. Rated critical severity (C

CVE-2025-49113 CRITICAL POC
9.9 Jun 02

Roundcube Webmail contains a critical PHP object deserialization vulnerability (CVE-2025-49113, CVSS 9.9) that allows au

CVE-2017-9841 CRITICAL POC
9.8 Jun 27

Util/PHP/eval-stdin.php in PHPUnit before 4.8.28 and 5.x before 5.6.3 allows remote attackers to execute arbitrary PHP c

CVE-2025-0108 HIGH POC
8.8 Feb 12

Palo Alto Networks PAN-OS management web interface contains an authentication bypass allowing unauthenticated attackers

CVE-2021-25298 HIGH POC
8.8 Feb 15

Nagios XI version xi-5.7.5 is affected by OS command injection. Rated high severity (CVSS 8.8), this vulnerability is re

CVE-2021-25296 HIGH POC
8.8 Feb 15

Nagios XI version xi-5.7.5 is affected by OS command injection. Rated high severity (CVSS 8.8), this vulnerability is re

CVE-2013-4983 CRITICAL POC
10.0 Sep 10

The get_referers function in /opt/ws/bin/sblistpack in Sophos Web Appliance before 3.7.9.1 and 3.8 before 3.8.1.1 allows

CVE-2023-6553 CRITICAL POC
9.8 Dec 15

The Backup Migration plugin for WordPress is vulnerable to Remote Code Execution in all versions up to, and including, 1

CVE-2024-46506 CRITICAL POC
10.0 May 13

NetAlertX (formerly PiAlert) versions 23.01.14 through 24.x before 24.10.12 allow unauthenticated command injection thro

CVE-2024-8353 CRITICAL POC
9.8 Sep 28

The GiveWP - Donation Plugin and Fundraising Platform plugin for WordPress is vulnerable to PHP Object Injection in all

Share

CVE-2026-48157 vulnerability details – vuln.today

This site uses cookies essential for authentication and security. No tracking or analytics cookies are used. Privacy Policy