Severity by source
AV:N/AC:L/PR:N/UI:R/S:C/C:L/I:L/A:N
Network-reachable XSS requiring victim browser interaction; PR:N as attacker needs no credentials; S:C for browser-context escape; C/I:L for limited session/content impact.
Primary rating from Vendor (GitHub_M).
CVSS VectorVendor: GitHub_M
CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:C/C:L/I:L/A:N
Lifecycle Timeline
3DescriptionCVE.org
Slim is a PHP micro framework that enables users to write simple web applications and APIs. In versions 4.4.0 through 4.15, if an application uses HttpException::setTitle() and/or setDescription() to include untrusted/request-derived data in the error title or description (e.g. "No products found matching '{$query}'."), an attacker could inject arbitrary HTML/JavaScript that executes in the victim's browser when they encounter an HTML error page generated by Slim. The vulnerability is present even with displayErrorDetails = false as the unescaped title and description are rendered on this error path. Built-in exceptions (HttpNotFoundException, HttpBadRequestException, etc.) ship plain-text defaults, so a vanilla Slim app with no user code is not exploitable. Only applications that feed untrusted data into setTitle() and/or setDescription() are affected. The issue has been fixed in 4.15.2. If developers are unable to immediately update their applications, they can work around this issue by avoiding passing untrusted/request-derived data into HttpException::setTitle() and setDescription() and using static, plain-text error copy instead. They should also register a custom error renderer (an ErrorRendererInterface implementation, or a subclass of HtmlErrorRenderer that escapes the title and description) for the HTML media type.
AnalysisAI
Reflected XSS in Slim PHP framework (versions 4.4.0 through 4.15.1) allows attackers to inject arbitrary HTML and JavaScript into HTML error pages when application code passes request-derived data into HttpException::setTitle() or setDescription(). The payload executes in a victim's browser upon rendering the crafted error page, and critically this occurs even when displayErrorDetails is set to false, since the unescaped values are rendered on a separate code path. No public exploit code or CISA KEV listing has been identified; exploitation is scoped to applications that explicitly feed untrusted input into these specific exception setter methods.
Technical ContextAI
Slim's HtmlErrorRenderer constructs and returns HTML error pages using the title and description properties of HttpException, set via setTitle() and setDescription(). Prior to 4.15.2, these values were interpolated directly into HTML output without HTML entity escaping, constituting CWE-79 (Improper Neutralization of Input During Web Page Generation). The fix, confirmed by the 4.15.2 release notes (GHSA-53h4-8rc4-f539), applies HTML entity escaping within HtmlErrorRenderer. The vulnerability is not present in built-in exception subclasses (HttpNotFoundException, HttpBadRequestException, etc.) because those ship with static plain-text defaults - only developer-added code that calls the setters with dynamic, request-derived values creates the exploitable condition. CPE cpe:2.3:a:slimphp:slim:*:*:*:*:*:*:*:* covers the affected product family.
RemediationAI
Upgrade to Slim 4.15.2, which applies HTML entity escaping in HtmlErrorRenderer to prevent XSS (confirmed by release notes at https://github.com/slimphp/Slim/releases/tag/4.15.2 and advisory GHSA-53h4-8rc4-f539). If an immediate upgrade is not feasible, audit all calls to HttpException::setTitle() and setDescription() and replace any request-derived values with static, plain-text strings - this eliminates the injection point without a code update. As an additional defensive layer, register a custom error renderer implementing ErrorRendererInterface (or subclass HtmlErrorRenderer with explicit htmlspecialchars() escaping applied to title and description) for the HTML media type in Slim's container configuration. Note that the workarounds require code changes and code review; neither is a drop-in configuration toggle.
sapi/cgi/cgi_main.c in PHP before 5.3.12 and 5.4.x before 5.4.2, when configured as a CGI script (aka php-cgi), does not
(1) boardData102.php, (2) boardData103.php, (3) boardDataJP.php, (4) boardDataNA.php, and (5) boardDataWW.php in Netgear
ProjectSend versions prior to r1720 are affected by an improper authentication vulnerability. Rated critical severity (C
Roundcube Webmail contains a critical PHP object deserialization vulnerability (CVE-2025-49113, CVSS 9.9) that allows au
Util/PHP/eval-stdin.php in PHPUnit before 4.8.28 and 5.x before 5.6.3 allows remote attackers to execute arbitrary PHP c
Palo Alto Networks PAN-OS management web interface contains an authentication bypass allowing unauthenticated attackers
Nagios XI version xi-5.7.5 is affected by OS command injection. Rated high severity (CVSS 8.8), this vulnerability is re
Nagios XI version xi-5.7.5 is affected by OS command injection. Rated high severity (CVSS 8.8), this vulnerability is re
The get_referers function in /opt/ws/bin/sblistpack in Sophos Web Appliance before 3.7.9.1 and 3.8 before 3.8.1.1 allows
The Backup Migration plugin for WordPress is vulnerable to Remote Code Execution in all versions up to, and including, 1
NetAlertX (formerly PiAlert) versions 23.01.14 through 24.x before 24.10.12 allow unauthenticated command injection thro
The GiveWP - Donation Plugin and Fundraising Platform plugin for WordPress is vulnerable to PHP Object Injection in all
Same weakness CWE-79 – Cross-site Scripting (XSS)
View allShare
External POC / Exploit Code
Leaving vuln.today
EUVD-2026-37008
GHSA-53h4-8rc4-f539