GHSA-53h4-8rc4-f539

Suggest an improvement
Source
https://github.com/advisories/GHSA-53h4-8rc4-f539
Import Source
https://github.com/github/advisory-database/blob/main/advisories/github-reviewed/2026/06/GHSA-53h4-8rc4-f539/GHSA-53h4-8rc4-f539.json
JSON Data
https://api.osv.dev/v1/vulns/GHSA-53h4-8rc4-f539
Aliases
  • CVE-2026-48157
Published
2026-06-23T21:54:06Z
Modified
2026-06-23T22:00:15.274443759Z
Severity
  • 6.1 (Medium) CVSS_V3 - CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:C/C:L/I:L/A:N CVSS Calculator
Summary
Slim has Reflected XSS in the HtmlErrorRenderer
Details

Impact

If an application uses HttpException::setTitle() and/or setDescription() to include untrusted/request-derived data in the error title or description (e.g. "No products found matching '{$query}'."), an attacker could inject arbitrary HTML/JavaScript that executes in the victim's browser when they encounter an HTML error page generated by Slim.

The vulnerability is present even with displayErrorDetails = false as the unescaped title and description are rendered on this error path.

Built-in exceptions (HttpNotFoundException, HttpBadRequestException, etc.) ship plain-text defaults, so a vanilla Slim app with no user code is not exploitable. Only applications that feed untrusted data into setTitle() and/or setDescription() are affected.

Patches

The issue is fixed in 4.15.2.

Workarounds

Without upgrading, applications can:

  • Avoid passing untrusted/request-derived data into HttpException::setTitle() and setDescription(). Use static, plain-text error copy instead.
  • Register a custom error renderer (an ErrorRendererInterface implementation, or a subclass of HtmlErrorRenderer that escapes the title and description) for the HTML media type.

Acknowledgments

Slim is grateful to and thanks GitHub user 0xEr3n for reporting this issue.

Resources

  • CWE-79: https://cwe.mitre.org/data/definitions/79.html
Database specific 
{
    "github_reviewed_at": "2026-06-23T21:54:06Z",
    "severity": "MODERATE",
    "cwe_ids": [
        "CWE-79"
    ],
    "github_reviewed": true,
    "nvd_published_at": "2026-06-15T22:16:17Z"
}
References

Affected packages

Packagist / slim/slim

Package

Name
slim/slim
Purl
pkg:composer/slim%2Fslim

Affected ranges

Type
ECOSYSTEM
Events
Introduced
4.4.0
Fixed
4.15.2

Affected versions

4.*
4.4.0
4.5.0
4.6.0
4.7.0
4.7.1
4.8.0
4.8.1
4.9.0
4.10.0
4.11.0
4.12.0
4.13.0
4.14.0
4.15.0
4.15.1

Database specific

source 
"https://github.com/github/advisory-database/blob/main/advisories/github-reviewed/2026/06/GHSA-53h4-8rc4-f539/GHSA-53h4-8rc4-f539.json"
last_known_affected_version_range 
"<= 4.15.1"