CVE-2026-48157 slimphp CVE debrief

Who should care

Developers using Slim PHP micro framework versions 4.4.0 through 4.15 in their applications, especially those that handle user input and display error pages.

Technical summary

The Slim PHP micro framework is vulnerable to arbitrary HTML/JavaScript injection in error pages. This occurs when HttpException::setTitle() and/or setDescription() are used with untrusted/request-derived data. The issue is present in versions 4.4.0 through 4.15 and has been fixed in version 4.15.2. To mitigate, developers should avoid passing untrusted data into these methods and use static, plain-text error messages instead. A custom error renderer that escapes title and description can also be implemented.

Defensive priority

High

Recommended defensive actions

• Update Slim PHP micro framework to version 4.15.2 or later.
• Avoid passing untrusted/request-derived data into HttpException::setTitle() and setDescription().
• Use static, plain-text error messages.
• Implement a custom error renderer that escapes title and description.

Evidence notes

CVE-2026-48157 is a confirmed vulnerability in the Slim PHP micro framework. The issue allows for arbitrary HTML/JavaScript injection in error pages, potentially leading to XSS attacks. The vulnerability has been fixed in version 4.15.2.

Official resources