Medium severity6.1NVD Advisory· Published Nov 17, 2017· Updated May 13, 2026

CVE-2017-16880

Description

The dump function in Util/TemplateHelper.php in filp whoops before 2.1.13 has XSS.

Affected packages

Versions sourced from the GitHub Security Advisory.

Package	Affected versions	Patched versions
filp/whoopsPackagist	< 2.1.13	2.1.13

Affected products

Whoops Project/Whoops
cpe:2.3:a:whoops_project:whoops:*:*:*:*:*:*:*:*
Range: <2.1.13

Patches

c16791d28d1c

TemplateHelper: fix XSS if Symfony dumper is not available

https://github.com/filp/whoopsDenis SokolovNov 17, 2017via ghsa

commit

1 file changed · +1 −1

src/Whoops/Util/TemplateHelper.php+1 −1 modified

@@ -183,7 +183,7 @@ public function dump($value)
             return $output;
         }
 
-        return print_r($value, true);
+        return htmlspecialchars(print_r($value, true));
     }
 
     /**

Vulnerability mechanics

Generated by null/stub on May 9, 2026. Inputs: CWE entries + fix-commit diffs from this CVE's patches. Citations validated against bundle.

References

github.com/filp/whoops/commit/c16791d28d1ca3139e398145f0c6565c523c291anvdPatchThird Party AdvisoryWEB
github.com/advisories/GHSA-2jjm-6whx-p8w4ghsaADVISORY
nvd.nist.gov/vuln/detail/CVE-2017-16880ghsaADVISORY

News mentions

No linked articles in our index yet.

cvss	0.397
epss	0.000
exploit	0.000
kev	0.000
patch	-0.070
ransomware	0.000