Listen to this Post
How CVE-2026-48157 Works
Slim is a popular PHP micro-framework for building web applications and APIs. This vulnerability exists in Slim’s HTML error renderer and affects all versions from 4.4.0 up to and including 4.15.1. The root cause is insufficient output encoding when rendering error pages.
The `HttpException` class provides `set()` and `setDescription()` methods that allow developers to customize error messages. If an application passes untrusted or user-supplied data into these methods—for example, reflecting a search query back in a “not found” error—the framework does not HTML-escape this data before rendering it in the error page.
An attacker can exploit this by crafting a malicious request containing JavaScript or HTML payloads within the error message parameters. When a victim triggers the error condition (e.g., by visiting a specially crafted URL), the injected script executes in their browser context. This happens even when `displayErrorDetails` is set to false, because the unescaped and description are still rendered on the error path.
It is important to note that Slim’s built-in exceptions (HttpNotFoundException, HttpBadRequestException, etc.) use safe, plain-text defaults. Therefore, a vanilla Slim application with no custom error-handling code is not vulnerable. Only applications that explicitly feed request-derived data into `set()` or `setDescription()` are affected. The vulnerability is classified as Reflected Cross-Site Scripting (XSS) with a CVSS score of 6.1 (Medium).
DailyCVE Form:
Platform: ……. Slim Framework
Version: …….. 4.4.0 – 4.15.1
Vulnerability :…… Reflected XSS (CWE-79)
Severity: ……. Medium (CVSS 6.1)
date: ………. 2026-05-22 (Disclosed)
Prediction: ….. 2026-05-22 (Patched)
What Undercode Say
Analytics
This vulnerability is triggered when user input is reflected into error messages without sanitization. While the attack vector requires user interaction (the victim must click a malicious link or perform an action that triggers the error), the impact can include session hijacking, theft of sensitive information, or other client-side attacks.
The EPSS score for this vulnerability is 0.03% (0.09652), indicating a relatively low probability of exploitation in the wild. However, the CVSS Temporal Score may vary based on factors like exploit availability and countermeasures. No public exploit is currently available.
Bash Commands & Codes
Check your Slim version:
composer show slim/slim
Update to the patched version:
composer require slim/slim:^4.15.2
Verify the update:
composer show slim/slim | grep versions
Vulnerable Code Example (DO NOT USE):
use Slim\Exception\HttpNotFoundException;
// Inside your route or middleware
$query = $_GET['q'] ?? '';
throw new HttpNotFoundException($request)
->set("Search Error")
->setDescription("No products found matching '{$query}'.");
Patched Code Example (Safe):
use Slim\Exception\HttpNotFoundException;
// Use static, plain-text error messages
throw new HttpNotFoundException($request)
->set("Search Error")
->setDescription("No products found matching your search query.");
How Exploit
An attacker could craft a URL with a malicious payload in the parameter that is later reflected in the error message:
https://vulnerable-app.example.com/search?q=<script>alert('XSS')</script>
If the application uses `setDescription()` with the unsanitized `q` parameter, the error page will render the script, which executes in the victim’s browser when they visit the link.
Protection
- Immediate Upgrade: The most effective protection is to upgrade to Slim 4.15.2 or later.
- Workaround – Sanitize Input: Avoid passing untrusted or request-derived data into `HttpException::set()` and
setDescription(). Always use static, plain-text error messages. - Workaround – Custom Error Renderer: Register a custom error renderer that properly escapes the and description. This can be done by implementing `ErrorRendererInterface` or subclassing
HtmlErrorRenderer.use Slim\Error\Renderers\HtmlErrorRenderer; class EscapedHtmlErrorRenderer extends HtmlErrorRenderer { protected function renderHtmlErrorMessage(\Throwable $exception): string { $ = htmlspecialchars($exception->get(), ENT_QUOTES, 'UTF-8'); $description = htmlspecialchars($exception->getDescription(), ENT_QUOTES, 'UTF-8'); // ... render the error page with escaped values } }
Impact
- Confidentiality: Low – An attacker could potentially read sensitive data from the victim’s browser session.
- Integrity: Low – The attacker could perform actions on behalf of the victim or deface the error page.
- Availability: None – The vulnerability does not affect the availability of the application.
- Attack Vector: Network – The vulnerability is remotely exploitable.
- User Interaction: Required – The victim must interact with a malicious link or request.
- Scope: Changed – The vulnerability can affect resources beyond the vulnerable component.
While the severity is rated as Medium, the impact can be more severe in applications that handle sensitive user data or where the error messages are frequently displayed to authenticated users.
🎯Let’s Practice Exploiting & Learn Patching For Free:
🎓 Live Courses & Certifications:
Join Undercode Academy for Verified Certifications
🚀 Request a Custom Project:
Secure, high-velocity infrastructure and disruptive technological engineering. Contact our engineering team for high-tier development and proprietary systems:
[email protected]
💎 Smart Architecture | 🛡️ Secure by Design | ⭐ Trusted by Thousands
Sources:
Reported By: github.com
Extra Source Hub:
Undercode
