GHSA-53h4-8rc4-f539MediumCVSS 6.1

Slim has Reflected XSS in the HtmlErrorRenderer

Published
June 23, 2026
Last Modified
June 23, 2026

🔗 CVE IDs covered (1)

📋 Description

Impact

If an application uses HttpException::setTitle() and/or setDescription() to include untrusted/request-derived data in the error title or description (e.g. "No products found matching '{$query}'."), an attacker could inject arbitrary HTML/JavaScript that executes in the victim's browser when they encounter an HTML error page generated by Slim.

The vulnerability is present even with displayErrorDetails = false as the unescaped title and description are rendered on this error path.

Built-in exceptions (HttpNotFoundException, HttpBadRequestException, etc.) ship plain-text defaults, so a vanilla Slim app with no user code is not exploitable. Only applications that feed untrusted data into setTitle() and/or setDescription() are affected.

Patches

The issue is fixed in 4.15.2.

Workarounds

Without upgrading, applications can:

  • Avoid passing untrusted/request-derived data into HttpException::setTitle() and setDescription(). Use static, plain-text error copy instead.
  • Register a custom error renderer (an ErrorRendererInterface implementation, or a subclass of HtmlErrorRenderer that escapes the title and description) for the HTML media type.

Acknowledgments

Slim is grateful to and thanks GitHub user 0xEr3n for reporting this issue.

Resources

  • CWE-79: https://cwe.mitre.org/data/definitions/79.html

🎯 Affected products1

  • composer/slim/slim:>= 4.4.0, <= 4.15.1

🔗 References (4)