VYPR
← All advisories
Medium severity6.1NVD Advisory· Published Jun 15, 2026

CVE-2026-48157

CVE-2026-48157

Description

Slim PHP framework versions 4.4.0 to 4.15.1 are vulnerable to reflected XSS via unescaped HTML in error pages when user input is passed to HttpException::setTitle() or setDescription().

AI Insight

LLM-synthesized narrative grounded in this CVE's description and references.

Slim PHP framework versions 4.4.0 to 4.15.1 are vulnerable to reflected XSS via unescaped HTML in error pages when user input is passed to HttpException::setTitle() or setDescription().

Vulnerability

Slim PHP framework versions 4.4.0 through 4.15.1 contain a reflected cross-site scripting (XSS) vulnerability in the HtmlErrorRenderer component. When an application passes untrusted or request-derived data into HttpException::setTitle() or HttpException::setDescription(), that data is rendered unescaped on the HTML error page, even with displayErrorDetails set to false. Built-in exceptions such as HttpNotFoundException and HttpBadRequestException use plain-text defaults and are not exploitable; only applications that explicitly feed user-controlled input into these setter methods are affected [1][2].

Exploitation

An attacker requires no special network position beyond being able to trigger an HTTP error response containing the injected payload. The attacker must identify an application endpoint where the error title or description is dynamically constructed from request parameters (e.g., query string, POST body, or headers). No authentication is needed if the error endpoint is public. The attacker crafts a request with malicious HTML/JavaScript embedded in the parameter that flows into setTitle() or setDescription(). When a victim visits the resulting error page, the injected script executes in the context of the application's origin [2].

Impact

Successful exploitation allows an attacker to execute arbitrary HTML and JavaScript in the browser of any user who accesses the generated error page. This can lead to session hijacking, credential theft, defacement, or redirection to malicious sites. The attacker gains no server-side access; the compromise is limited to the client-side session against the affected application's origin [2].

Mitigation

The vulnerability has been fixed in Slim version 4.15.2 [1][2]. Developers unable to upgrade immediately should avoid passing untrusted or request-derived data into HttpException::setTitle() and setDescription(), instead using static, plain-text error copy. Additionally, they can register a custom error renderer (implementing ErrorRendererInterface or subclassing HtmlErrorRenderer with proper escaping) for the text/html media type. No CISA KEV listing has been published as of this writing.

References
  1. Release 4.15.2 · slimphp/Slim
  2. Reflected XSS in Slim's HtmlErrorRenderer (>= 4.4.0, <=4.15.1)

AI Insight generated on Jun 15, 2026. Synthesized from this CVE's description and the cited reference URLs; citations are validated against the source bundle.

Affected products

2

Patches

0

No patches discovered yet.

Vulnerability mechanics

No source-code context for this CVE — mechanics is only generated when we can read the actual fix diff. Without that, the four sections (root cause, attack vector, affected code, fix) would be speculation rather than analysis.

References

2

News mentions

0

No linked articles in our index yet.